8 ways to help protect your kids’ privacy against smart toy vulnerabilities
The man slipped into the darkened room quietly, treading carefully so as not to wake the person sleeping on the bed. He paused as the figure stirred, then placed the cleverly disguised device in an unobtrusive spot on a corner shelf. Opening an app on his smartphone, he ensured the sensors, microphone and camera were working, then quickly retreated to the door, closing it gently behind him. Mission accomplished.
No, this isn’t a scene from the latest spy film. It’s a scenario that could be playing out in connected homes across the country as more and more parents use smart baby monitors to keep an eye on their little ones. No longer glorified speakers, baby monitors have evolved into sophisticated smart devices that allow concerned parents to make sure their children are safe and secure.
Ironically, connected baby monitors and other high-tech Internet of Things (IoT) devices made with children in mind could put your privacy and personal information in harm’s way. In July 2017, the Federal Bureau of Investigation (FBI) issued a public service announcement warning that Internet-connected toys could present privacy concerns for children.1
How can smart toys put children at risk?
In addition to the more mainstream microphones and cameras, the newest generation of connected toys now offer high-tech features such as speech and facial recognition and GPS tracking.
Since smart devices and toys have been largely unregulated, the U.S. government is stepping in to implement policies to help give parents more control over what information websites can collect about their children. The Children’s Online Privacy Protection Act (COPPA) set standards for online information collection about children under 13.2 On June 21, 2017, the Federal Trade Commission (FTC) updated its guidance for COPPA-complying companies to include key protections about internet-connected toys and associated services such as mobile apps, GPS and VoIP.3
IoT security warnings from the young
In May 2017, an 11-year-old boy named Reuben Paul schooled a room full of security experts on how to hack Bluetooth-enabled devices to take control of an IoT teddy bear. As he explained, “Most internet-connected things have a Bluetooth functionality … I basically showed how I could connect to it, and send commands to it.”4
“From airplanes to automobiles, from smartphones to smart homes, anything or any toy can be part of the Internet of Things. … From terminators to teddy bears, anything or any toy can be weaponized,” said the Texas sixth-grader.4
8 ways to help protect your kids' privacy against sketchy smart toys
Aside from protecting your connected home — including vulnerable smart toys — with a secure Wi-Fi router, here are a few tips that could give your smart toy story a happier ending.
- Secure your Wi-Fi network with a unique and complex password (not the one that came with the device) and turn off device features that automatically connect to Wi-Fi or Bluetooth. Your smart toys could be less vulnerable to hackers if they aren’t constantly connected to the Internet, so remember to disconnect them or turn them off when they’re not in use.
- Before buying a smart device for your child, be sure to research it for negative news stories or consumer reviews. You might also check child advocacy websites, like Common Sense, for more information.
- Sometimes in the rush for manufacturers to get their new products to market, they may overlook security features. Determine what in-place security measures come with the toy. What kind of data is captured, such as voice recordings or facial recognition. Is that data encrypted or does the toy require authentication like a PIN or password when pairing with Bluetooth or Wi-Fi?
- Know if the toy stores data internally or uses the cloud. There are benefits to having collected data stored on the device, such as not having to worry about the security of external servers. If data is transmitted, it should be encrypted.
- Find out if the toy’s firmware or software will be updated automatically or if you will need to be vigilant about updating these yourself when they are made available by the manufacturer. If the latter, always be sure to install patches or updates as soon as possible. Doing so could protect the device from known vulnerabilities.
- Many connected toys have apps or online portals where you can set up a user account to log in. Be sure to use a complex password and fill in personal account details with caution. Think twice about providing your child’s full name and date of birth, which could potentially mark him or her for identity theft if that data is stolen or breached. Consider entering an alias or nickname for your child instead.
- Monitor your children’s interactions with any connected toys or devices, and have frequent conversations with them about how to use the smart toys safely.
1 FBI, “Consumer notice: Internet-connected toys could present privacy and contact concerns for children,” July 17, 2017.
2 FTC, Children’s Online Privacy Protection Act.
3 FTC, “Children’s online privacy protection rule: A six-step compliance plan for your business,” June 2017.
4 Mashable.com, “11-year-old casually hacks into security experts’ Bluetooth to control teddy bear,” May 17, 2017.
Editorial note: Our articles provide educational information for you. Norton LifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.
Copyright © 2019 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of Amazon.com, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.