“Toys are basically the poster child for bad security in IoT,” said Bree Fowler, cybersecurity editor at Consumer Reports. “Nest and Google, they have huge security departments. They can actually sink some cash into security when they build things if they choose to. Toys don’t really have that background. They’re not tech companies.”
The FBI warned consumers last year that smart toys raise “concerns for privacy and physical safety” of children. The potential risks range from hackers eavesdropping on kids to stealing a child’s identity. The mining of sensitive data such as GPS location, pictures or videos, and known interests all could aid kidnappers, the FBI wrote.
In January, the Hong Kong-based electronic toy maker VTech agreed to pay $650,000 to settle charges by the Federal Trade Commission after a data breach exposed the personal information of millions of parents and children, including names, gender, birth dates, and email addresses. It was the FTC’s first children’s privacy and security case involving connected toys. And kids might not know the full ramifications of smart-toy data breaches until they apply for loans later in life and learn their identity has been stolen, experts said.
Last year, German officials labeled an innocent-looking smart doll, My Friend Cayla, an illegal “espionage device” and asked parents to disable it. The blond, childlike doll recorded conversations, translated them to text, and shared data with third-parties, according to a complaint filed in 2016 by consumer groups.
This went on despite the toy’s assurances that it would keep things confidential. If you asked the Cayla “can you keep a secret?” the doll said: “I promise not to tell anyone; it’s just between you and me.” The manufacturer, Genesis Toys, which is incorporated in Hong Kong and headquartered in Los Angeles, did not return a request for comment.
Internet-connected smart toys are growing in popularity, with the $6 billion market expected to expand to $18 billion by 2023, according to Juniper Research.
Federal law requires companies to get parental permission before collecting and sharing data of children under 13. The Children’s Online Privacy Protection Act also mandates clear privacy policies. It gives parents access to their children’s data, and enables parents to have the personal information deleted, among other rules.
Consumer groups and security experts have identified other smart toys that raise privacy and security concerns.
Take the Fisher-Price Smart Toy Bear, a teddy bear stuffed with a microphone, camera, speaker, pressure plate, and an accelerometer for knowing when it’s tossed in the air. The toy can have a conversation with a child and is familiar with world events. Mattel, which owns Fisher-Price, said it has stopped manufacturing the toy, but it can still be bought from major retailers including Amazon and Walmart for $55.99.
In April, researchers at Indiana University said they discovered a security flaw that allowed them to gain unauthorized access to the toy bear’s nose camera.
“It is capable of recording children or their families without any warning that the camera is in operation,” the researchers wrote. “There is no light or other indicator for the user to know the camera is in operation. Since the bear does operate as a screen-less phone, the normal notifications that are screen-based are unavailable to protect the user.”
In a statement, a Mattel spokesperson said the company “takes the safety and privacy of our consumers very seriously.”
“We have implemented various security updates since the product was manufactured in 2015,” spokesperson Lisa Fujioka said. “We have no knowledge of any consumer data breach related to this product.”
Earlier this month, the U.S. Public Interest Research Group said parents should be wary of buying Amazon’s popular children’s tablet, the Fire HD Kids Edition. The group cited research from the Mozilla Foundation, which warned that “Amazon gets to know your kid’s personal information from the cradle on.”
“This product is built from the ground up for kids, with kids and parents and their priorities in mind,” said Kurt Beidler, Amazon’s director of kids & family. “It’s been used by over 10 million kids. Parents and kids both love it. We’ve earned parents’ trust by respecting things that they care about. And kids safety, kids education, kids privacy are things that are first and foremost on that list.”
Amazon may ask for a child’s screen name (which can be any word), gender, and birth date to set up a kid’s profile. Parents must contact customer service to delete children’s activity data. In the words of Amazon, the new $129.99 “Fire HD 8 Kids Edition” tablet is “not a toy.”