Kids' Safety

8 ways to help protect your kids from vulnerable smart toys.

Authored by a Symantec employee


The man slipped into the darkened room quietly, treading carefully so as not to wake the person sleeping on the bed. He paused as the figure stirred, then placed the cleverly disguised device in an unobtrusive spot on a corner shelf. Opening an app on his smartphone, he ensured the sensors, microphone and camera were working, then quickly retreated to the door, closing it gently behind him. Mission accomplished.

No, this isn’t a scene from the latest spy film. It’s a scenario that could be playing out in smart homes across the country as more and more parents use baby monitors to keep an eye on their little ones. No longer glorified speakers, baby monitors have evolved into sophisticated smart devices that allow concerned parents to make sure their children are safe and secure.

Ironically, connected baby monitors and other high-tech Internet of Things (IoT) devices made with children in mind could put them in harm’s way. In July 2017, the Federal Bureau of Investigation (FBI) issued a public service announcement warning that connected toys could present privacy concerns for children.1

Managing your connected home’s security today is a tall order.

Enter Norton Core. A secure router for your connected home — because smart homes need smart security solutions.

Help protect your PCs, phones and tablets, and now your IoT devices too.

How can smart toys put children at risk?
In addition to the more mainstream microphones and cameras, the newest generation of connected toys now offers high-tech features such as speech and facial recognition and GPS tracking.

These features in and of themselves do not put children in danger, but the information they collect — and how that data is stored or shared — could. For example, a smart doll that responds to questions might have a voice-recognition feature that also records chats in order to make the doll “smarter” for future conversations. In this scenario, personally identifying and sensitive information could be collected, such as a child’s name, school or routines. If the information being accessed is not encrypted, or if the data is transmitted via Bluetooth or unsecured Wi-Fi, hackers could gain access to valuable information that could be used for identity theft. Or, if the toy company states in its privacy policy that it allows user data to be sold, a child’s information could end up in the hands of third parties.

Since smart devices and toys are largely unregulated, the U.S. government is stepping in to implement policies to protect children. The Children’s Online Privacy Protection Act (COPPA) set standards for online information collection about children under 13.2 On June 21, 2017, the Federal Trade Commission (FTC) updated its guidance for COPPA-complying companies to include key protections about Internet-connected toys and associated services such as mobile apps, GPS and VoIP.3

IoT security warnings from the mouths of babes
In May 2017, an 11-year-old boy named Reuben Paul schooled a room full of security experts on how to hack Bluetooth-enabled devices to take control of an IoT teddy bear. As he explained, “Most Internet-connected things have a Bluetooth functionality … I basically showed how I could connect to it, and send commands to it, by recording audio and playing the light.”4

“From airplanes to automobiles, from smartphones to smart homes, anything or any toy can be part of the Internet of Things.… From terminators to teddy bears, anything or any toy can be weaponized,” said the Texas sixth-grader.4

How to make IoT security child’s play
Imagine if a nearby hacker were able to access your home Wi-Fi network or Bluetooth signals. How many connected toys might the hacker be able to access and use to spy on your children? It’s a chilling possibility, but one that must be considered as more IoT devices hit the market. After all, there have already been numerous news stories about such incidents.5

Because it’s not yet standard for smart devices to have built-in security, it’s often up to you, the consumer, to take precautions and help protect your smart home. A secure Wi-Fi router, like Norton CoreTM, could make such security like child’s play. Norton Core, combined with a Norton Core Security Plus subscription, makes it possible to help defend an unlimited number of your connected devices on your home network by stopping cyber-attacks at the network level. That’s no small accomplishment as Symantec researchers found that such attempts to attack an average IoT device in 2016 occurred once every two minutes during peak activity.6

8 ways to help protect your kids from sketchy smart toys
Aside from protecting your connected home — including vulnerable smart toys — with a secure Wi-Fi router, here are a few tips that could give your smart toy story a happier ending.

1. Secure your Wi-Fi network with a strong password and turn off device features that automatically connect to Wi-Fi or Bluetooth. Your smart toys could be less vulnerable to hackers if they aren’t constantly connected to the Internet, so remember to disconnect them or turn them off when they’re not in use.

2. Before buying a smart device for your child, be sure to research it for negative news stories or consumer reviews. You might also check child advocacy websites, like Common Sense, for information.

3. Determine what in-place security measures come with the toy. Is data encrypted or does the toy require authentication like a PIN or password when pairing with Bluetooth or Wi-Fi?

4. Read the privacy policy to find out what types of information will be collected and how they will be used. The privacy policy should also contain a section about security, which explains how that data will be secured.

5. Know if the toy stores data internally or uses the cloud. There are benefits to having collected data stored on the device, such as not having to worry about the security of external servers. If data is transmitted, it should be encrypted.

6. Find out if the toy’s firmware or software will be updated automatically or if you will need to be vigilant about updating these yourself when they are made available. If the latter, always be sure to install patches or updates as soon as possible. Doing so could protect the device from known vulnerabilities.

7. Many connected toys have apps or online portals where you can set up a user account to log in. Be sure to use a complex password and fill in personal account details with caution. Think twice about providing your child’s full name and date of birth, which could potentially mark him or her for identity theft if that data is stolen or breached. Consider entering an alias or nickname for your child instead.

8. The most important tip is to monitor your children’s interactions with any connected toys and to have conversations with them about how to use the smart toys safely.


Managing your connected home’s security today is a tall order.

Enter Norton Core. A secure router for your connected home — because smart homes need smart security solutions.

Help protect your PCs, phones and tablets, and now your IoT devices too.

Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.

Copyright © 2019 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Norton, Norton by Symantec, LifeLock, and the LockMan Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Google Chrome and Android are trademarks of Google, LLC. Mac, iPhone and iPad are trademarks of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. The Android robot is reproduced and/or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other company names and product names are registered trademarks or trademarks of each company.