Like it or not, our kids love technology just as much as we do. Toymakers know this, and are rushing to make kids high-tech toys. But often, these toys are connected to servers that store your kids' — and your own — personal data in the cloud.
A doll that knows your child's name and favorite color might be cute, but is it also setting up your child or family for unforeseen security risks, such as identity theft? Can a toy know too much about your child?
Toys that give away secrets
Several recent incidents have shown how vulnerable Internet-connected toys can be.
In early 2015, Mattel unveiled Hello Barbie, which learned a child's name and "spoke," thanks to real-time language processing on remote servers run by a Mattel subcontractor. Security researchers later broke into those servers and found recorded conversations that dolls had had with children.
Another researcher, Matt Jakubowski of Chicago, took apart the Hello Barbie doll and found sensitive information that had been stored without protection.
"Jakubowski said he was able to get access to the users' system information, as well as Wi-Fi network names, account IDs, and audio files," said Dodi Glenn, vice president of cybersecurity at diagnostic-software maker PC Pitstop.
In November 2015, a hacker broke into the database of Chinese kids-gadget maker VTech, then showed a journalist that he had accessed 4.8 million customer accounts. Each account held a parent's full name, email address and physical address, plus first names, genders and dates of birth of the account holder's children, and even, in some cases, photos taken by children using VTech devices. All told, the personal information of 6.4 million children was compromised.
"VTech was an interesting case, as it involved a Web portal (for downloading apps) and also a server to which toys were upstreaming data such as pictures," explained Sean Sullivan, a security advisor at antivirus software maker F-Secure, in an email.
"The pictures involved were taken by children attempting to mail them to their parents. They should not have remained on the server," Sullivan said. "But delivery failed, and so the pictures remained in a queue. Failure to deliver should equal some sort of delete after 'x' amount of time. But VTech didn't purge old files. So the hacker discovered a good deal of content which didn't need to be there."
In February 2016, Mattel admitted that its Smart Toy line of stuffed animals, which also have "conversations" with small children, had security flaws. Hackers could have hijacked the toys' communications with Mattel's servers and learned children's names, birthdates and genders — enough personal information to get an identity thief, or a stalker or kidnapper, started.
Playing around with privacy and security
With the rise of the Internet of Things (IoT), and the increasing availability of connected toys and games targeted to children of all ages, we're seeing only the tip of the iceberg of vulnerabilities and identity-theft risks.
Like most IoT devices, toys and games are not designed with security in mind, and there is rarely a built-in safety system to rely upon. Even if Internet-connected toys did have security features, Glenn said, parents might ignore them, rationalizing that these devices are "just toys" that can't cause any harm.
The harm is the loss of the personal information that parents (or children themselves) enter into the toymakers' databases. Many parents don't think twice about putting intimate details about their children on social media, and that permissive attitude has spread to the data requested by toy manufacturers to make a toy's features more personal.
The manufacturers want you to provide personal information such as email addresses, passwords, mailing addresses, and even the names and birthdates of children and their parents, as well as other personal and revealing information about the child and family.
"Much of this data is collected by the toys' vendors and stored in the cloud, where it can be easily compromised by cyber attackers if proper security measures are not put into place," said Paul Paget, CEO of Pwnie Express, a provider of network-threat-detection tools.
How to avoid being betrayed by your kids' toys
This is why security experts suggest that parents provide toys with as little personal data as possible. After all, the toy will only "know" what it is told.
"Parents can create fake identities and email addresses to use for online registrations," said Stephen Coty, chief security evangelist at security-as-a-service provider Alert Logic. "For example, there is a service called 10 Minute Mail that allows you to register for things and create an account. Not only will it save you from the spam, but also, you won't get compromised if the data is compromised."
When parents buy an Internet-connected toy, they should immediately change the toy's default password to a new password that is, if not unique, then different from the passwords used to access sensitive information such as bank and email accounts. If the toy connects to an app on a smartphone or to the Internet through a computer, make sure all of the security checkpoints are in place on that device — have good security software installed, secure your Wi-Fi network with an access password and never download software or apps from suspicious sources.
The recent toy breaches should serve as a wake-up call to consumers and businesses alike to take extra precautions to secure their Internet-connected devices, Paget said.
"Consumers must begin to ask questions about how their information is being collected by connected toys and devices and the companies that manufacture them," he said. "Beyond that, they must begin to demand that vendors focus more heavily on securing their personal data to help prevent breaches like this in the future."