Authored by a Symantec employee
The man slipped into the darkened room quietly, treading carefully so as not to wake the person sleeping on the bed. He paused as the figure stirred, then placed the cleverly disguised device in an unobtrusive spot on a corner shelf. Opening an app on his smartphone, he ensured the sensors, microphone and camera were working, then quickly retreated to the door, closing it gently behind him. Mission accomplished.
No, this isn’t a scene from the latest spy film. It’s a scenario that could be playing out in smart homes across the country as more and more parents use baby monitors to keep an eye on their little ones. No longer glorified speakers, baby monitors have evolved into sophisticated smart devices that allow concerned parents to make sure their children are safe and secure.
Ironically, connected baby monitors and other high-tech Internet of Things (IoT) devices made with children in mind could put them in harm’s way. In July 2017, the Federal Bureau of Investigation (FBI) issued a public service announcement warning that connected toys could present privacy concerns for children.1
How can smart toys put children at risk?
In addition to the more mainstream microphones and cameras, the newest generation of connected toys now offers high-tech features such as speech and facial recognition and GPS tracking.
Since smart devices and toys are largely unregulated, the U.S. government is stepping in to implement policies to protect children. The Children’s Online Privacy Protection Act (COPPA) set standards for online information collection about children under 13.2 On June 21, 2017, the Federal Trade Commission (FTC) updated its guidance for COPPA-complying companies to include key protections about Internet-connected toys and associated services such as mobile apps, GPS and VoIP.3
IoT security warnings from the mouths of babes
In May 2017, an 11-year-old boy named Reuben Paul schooled a room full of security experts on how to hack Bluetooth-enabled devices to take control of an IoT teddy bear. As he explained, “Most Internet-connected things have a Bluetooth functionality … I basically showed how I could connect to it, and send commands to it, by recording audio and playing the light.”4
“From airplanes to automobiles, from smartphones to smart homes, anything or any toy can be part of the Internet of Things.… From terminators to teddy bears, anything or any toy can be weaponized,” said the Texas sixth-grader.4
How to make IoT security child’s play
Imagine if a nearby hacker were able to access your home Wi-Fi network or Bluetooth signals. How many connected toys might the hacker be able to access and use to spy on your children? It’s a chilling possibility, but one that must be considered as more IoT devices hit the market. After all, there have already been numerous news stories about such incidents.5
Because it’s not yet standard for smart devices to have built-in security, it’s often up to you, the consumer, to take precautions and help protect your smart home. A secure Wi-Fi router, like Norton CoreTM, could make such security like child’s play. Norton Core, combined with a Norton Core Security Plus subscription, makes it possible to help defend an unlimited number of your connected devices on your home network by stopping cyber-attacks at the network level. That’s no small accomplishment as Symantec researchers found that such attempts to attack an average IoT device in 2016 occurred once every two minutes during peak activity.6
8 ways to help protect your kids from sketchy smart toys
Aside from protecting your connected home — including vulnerable smart toys — with a secure Wi-Fi router, here are a few tips that could give your smart toy story a happier ending.
1. Secure your Wi-Fi network with a strong password and turn off device features that automatically connect to Wi-Fi or Bluetooth. Your smart toys could be less vulnerable to hackers if they aren’t constantly connected to the Internet, so remember to disconnect them or turn them off when they’re not in use.
2. Before buying a smart device for your child, be sure to research it for negative news stories or consumer reviews. You might also check child advocacy websites, like Common Sense, for information.
3. Determine what in-place security measures come with the toy. Is data encrypted or does the toy require authentication like a PIN or password when pairing with Bluetooth or Wi-Fi?
5. Know if the toy stores data internally or uses the cloud. There are benefits to having collected data stored on the device, such as not having to worry about the security of external servers. If data is transmitted, it should be encrypted.
6. Find out if the toy’s firmware or software will be updated automatically or if you will need to be vigilant about updating these yourself when they are made available. If the latter, always be sure to install patches or updates as soon as possible. Doing so could protect the device from known vulnerabilities.
7. Many connected toys have apps or online portals where you can set up a user account to log in. Be sure to use a complex password and fill in personal account details with caution. Think twice about providing your child’s full name and date of birth, which could potentially mark him or her for identity theft if that data is stolen or breached. Consider entering an alias or nickname for your child instead.
8. The most important tip is to monitor your children’s interactions with any connected toys and to have conversations with them about how to use the smart toys safely.
1 FBI, “Consumer notice: Internet-connected toys could present privacy and contact concerns for children,” July 17, 2017.
2 FTC, Children’s Online Privacy Protection Act.
3 FTC, “Children’s online privacy protection rule: A six-step compliance plan for your business,” June 2017.
4 Mashable.com, “11-year-old casually hacks into security experts’ Bluetooth to control teddy bear,” May 17, 2017.
5 The Guardian, “German parents told to destroy doll that can spy on their children,” February 17, 2017. Huffington Post Australia, “Millions of private messages between parents and kids hacked in Cloud Pets security breach,” February 28, 2017. The Guardian, “Hackers can hijack Wi-Fi Hello Barbie to spy on your children,” November 26, 2015.
6 Symantec, 2017 Internet Security Threat Report.
Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.
© 2018 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Norton, Norton by Symantec, LifeLock, and the Lockman Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Google Chrome is a trademark of Google, Inc. Mac, iPhone