Trouble From the Toy Box: Will That ‘Smart’ Holiday Gift for the Grandkids Be a Spy for Hackers?

Photo Credit: iStock/nd3000

If “smart toys” are on the holiday wish list of the children in your life, know this: The FBI warns that such interactive, internet-connected gifts could be compromised by cyber hackers, and it advises that security precautions be taken before playtime begins.

Although the bureau doesn’t identity specific risky products, it says that “these toys typically contain sensors, microphones, cameras, data storage components, and other multimedia capabilities — including speech recognition and GPS options. These features could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed.” The toys include dolls, stuffed animals, card packs, wrist bands and other playthings typically connected to the internet, either directly through Wi-Fi or indirectly via Bluetooth to a smartphone (which, in turn, is connected to the internet).

Among the concerns: Many smart toys, often intended to promote learning, have microphones that “could record and collect conversations within earshot of the device,” says the bureau. These conversations could reveal ID theft-worthy details such as the child’s name, address and birth date. (Meanwhile, such details may be provided or required when creating user accounts.)

“In addition, companies collect large amounts of additional data, such as voice messages, conversation recordings, past and real-time physical locations, Internet use history, and Internet addresses/IPs,” the bureau says. “The exposure of such information could create opportunities for child identity fraud. Additionally, the potential misuse of sensitive data such as GPS location information, visual identifiers from pictures or videos, and known interests to garner trust from a child could present exploitation risks.”

Some smart toys have already come under fire. Earlier this year, an internet-connected doll called My Friend Cayla, with an internal microphone, was banned in Germany. Meanwhile, a security researcher reported that more than 2 million voice recordings were exposed via CloudPets, stuffed animals that allow parents and children to exchange voice messages. And smart toy manufacturer VTech has acknowledged that close to 5 million customer accounts were hacked via the smart toys Learning Lodge and Kid Connect, allowing hackers to access children’s names, addresses, birth dates, chat histories and photos.

In addition to microphones, recording devices, cameras and GPS capability, other risks in internet-connected smart toys include features such as speech recognition technology, speakers, and wireless transmitters and receivers. Also be mindful (and cautious) with products that request names, addresses and other personal information when you register; have cloud connection capability (and remain connected to the cloud when the toy is turned off); or don’t include an End User License Agreement or identify its cloud storage provider.

As with other risk-posing smart devices in your home, here’s how to be smart with these high-tech toys:

  • Before buying, research the product for any reported security issues. Also look for certification or verification by members of the COPPA Safe Harbor Program (for Children’s Online Privacy Protection Act), affiliated with the Federal Trade Commission.
  • Read the company’s privacy policy and user agreement. Find out where user data is stored (with the company itself, third-party services or both) and research their reputations, especially in regard to cyber security.
  • Determine how (or if) you would be notified about a possible data breach or if vulnerabilities in the toy are discovered.
  • Connect and use the toy only with trusted and secure internet access — not on public Wi-Fi.
  • Use a strong and unique PIN or password when connecting to a Bluetooth device. If the product comes with default password, change it.
  • Use encryption when transmitting data from the toy.
  • If the toy can receive software updates and security patches, ensure it is using the most updated version.
  • Be stingy with personal information when setting up user accounts. A teddy bear really doesn’t need to know your child’s last name, address or birth date. Also teach young’uns to not “overshare” personal details when playing with or near the toy.
  • Turn the toy off when not in use, especially if it has a camera or microphone.


For information about other scams, sign up for the
Fraud Watch Network. You’ll receive free email alerts with tips and resources to help you spot and avoid identity theft and fraud. Keep tabs on scams and law enforcement alerts in your area at our Scam-Tracking Map.

0 comments