Kids' Safety

8 ways to help protect your kids’ privacy against smart toy vulnerabilities

The man slipped into the darkened room quietly, treading carefully so as not to wake the person sleeping on the bed. He paused as the figure stirred, then placed the cleverly disguised device in an unobtrusive spot on a corner shelf. Opening an app on his smartphone, he ensured the sensors, microphone and camera were working, then quickly retreated to the door, closing it gently behind him. Mission accomplished.

No, this isn’t a scene from the latest spy film. It’s a scenario that could be playing out in connected homes across the country as more and more parents use smart baby monitors to keep an eye on their little ones. No longer glorified speakers, baby monitors have evolved into sophisticated smart devices that allow concerned parents to make sure their children are safe and secure.

Ironically, connected baby monitors and other high-tech Internet of Things (IoT) devices made with children in mind could put your privacy and personal information in harm’s way. In July 2017, the Federal Bureau of Investigation (FBI) issued a public service announcement warning that Internet-connected toys could present privacy concerns for children.1

How can smart toys put children at risk?

In addition to the more mainstream microphones and cameras, the newest generation of connected toys now offer high-tech features such as speech and facial recognition and GPS tracking.

These features alone may not put children in physical danger, but the information they collect — and how that data is stored or shared — could. For example, a smart doll that responds to questions might have a voice-recognition feature that also records their chats in order to make the doll “smarter” for future conversations. In this scenario, personally identifying and sensitive information could be collected, such as a child’s name, school or routines. If that information being recorded is not encrypted, or if the data is transmitted via Bluetooth or over an unsecured Wi-Fi connection, cybercriminals could potentially gain access to valuable information that could be used for identity theft. Or, if the toy company states in its privacy policy that it allows user data to be sold, a child’s identifying information could end up in the hands of third parties.

Since smart devices and toys have been largely unregulated, the U.S. government is stepping in to implement policies to help give parents more control over what information websites can collect about their children. The Children’s Online Privacy Protection Act (COPPA) set standards for online information collection about children under 13.2 On June 21, 2017, the Federal Trade Commission (FTC) updated its guidance for COPPA-complying companies to include key protections about internet-connected toys and associated services such as mobile apps, GPS and VoIP.3

IoT security warnings from the young

In May 2017, an 11-year-old boy named Reuben Paul schooled a room full of security experts on how to hack Bluetooth-enabled devices to take control of an IoT teddy bear. As he explained, “Most internet-connected things have a Bluetooth functionality … I basically showed how I could connect to it, and send commands to it.”4

“From airplanes to automobiles, from smartphones to smart homes, anything or any toy can be part of the Internet of Things. … From terminators to teddy bears, anything or any toy can be weaponized,” said the Texas sixth-grader.4

8 ways to help protect your kids' privacy against sketchy smart toys

Aside from protecting your connected home — including vulnerable smart toys — with a secure Wi-Fi router, here are a few tips that could give your smart toy story a happier ending.

  1. Secure your Wi-Fi network with a unique and complex password (not the one that came with the device) and turn off device features that automatically connect to Wi-Fi or Bluetooth. Your smart toys could be less vulnerable to hackers if they aren’t constantly connected to the Internet, so remember to disconnect them or turn them off when they’re not in use.
  2. Before buying a smart device for your child, be sure to research it for negative news stories or consumer reviews. You might also check child advocacy websites, like Common Sense, for more information.
  3. Sometimes in the rush for manufacturers to get their new products to market, they may overlook security features. Determine what in-place security measures come with the toy. What kind of data is captured, such as voice recordings or facial recognition. Is that data encrypted or does the toy require authentication like a PIN or password when pairing with Bluetooth or Wi-Fi?
  4. Read the privacy policy to find out what types of information will be collected and how they will be used. The privacy policy should also contain a section about security, which explains how that data will be secured.
  5. Know if the toy stores data internally or uses the cloud. There are benefits to having collected data stored on the device, such as not having to worry about the security of external servers. If data is transmitted, it should be encrypted.
  6. Find out if the toy’s firmware or software will be updated automatically or if you will need to be vigilant about updating these yourself when they are made available by the manufacturer. If the latter, always be sure to install patches or updates as soon as possible. Doing so could protect the device from known vulnerabilities.
  7. Many connected toys have apps or online portals where you can set up a user account to log in. Be sure to use a complex password and fill in personal account details with caution. Think twice about providing your child’s full name and date of birth, which could potentially mark him or her for identity theft if that data is stolen or breached. Consider entering an alias or nickname for your child instead.
  8. Monitor your children’s interactions with any connected toys or devices, and have frequent conversations with them about how to use the smart toys safely.

Together we’ll help protect your digital life

Now that Norton has joined forces with LifeLock, we offer a comprehensive digital safety solution that helps protect your devices, connections, home network — and, now, your identity.


Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.

Copyright © 2019 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Norton, Norton by Symantec, LifeLock, and the LockMan Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.