Beware of the Internet of ToysWe’ve talked before about the Internet of things, which is considered by many to be the next frontier of consumer electronics. With IoT technology rapidly spreading to a wide range of products – from appliances to lightbulbs and air fresheners – more and more toys are now coming packaged with the same kind of Internet functionality once reserved for computers and smartphones. Known as the “Internet of toys,” this occurrence is causing both privacy advocates and security researchers to worry that these devices might more easily allow hackers to harass families and commit identity theft against them or their children. Continue reading as we talk about the so-called Internet of toys and how you and your family can stay safe in this hyper-connected world.

What is the Internet of toys?

In order to understand the concept of the Internet of toys, it’s important to understand the broader concept of the Internet of things. The Internet of things refers to an ecosystem of “smart” products that communicate wirelessly over the Internet. For example, owners of Philips Hue light bulbs can control the lighting in their homes remotely from their smartphone. What’s more, Philips Hue light bulbs can “talk to” other smart devices, such as the Amazon’s smart speaker, in order to make your life more convenient. Connecting multiple smart devices will allow you to turn on your lights through your smartphone, for example, or ask your smart speaker to turn them on for you. The idea of an Internet of toys applies this logic to dolls, action figures and other playthings. Playtime could be made more fun with toys that can communicate with children through apps and change their catch phrases and functionality as they get software updates.

As the Internet of things takes off, manufactures are rushing to make everything talk on the Internet. But as with computers and smartphones, anything communicating over the Internet is inherently susceptible to hacking and malware. Although the Internet of toys is just now picking up steam, even smart toys haven’t been immune from some of the same types of hacks and breaches we’ve seen with other technologies.

What are the concerns about the Internet of toys?

Many of the same concerns surrounding the broader Internet of things ecosystem exist for the Internet of toys. A few high-profile data breaches – such as the VTech breach that occurred in December of 2015 and the CloudPets breach which happened earlier this year – demonstrate how easily systems storing the data collected from these toys can be broken into. Aside from database breaches, the toys themselves also seem vulnerable. Security researcher Matt Jakubowski demonstrated that some smart toys, like the first smart Barbie doll, were so insecure that their features could be used to spy on children, infiltrate their home network and potentially identify their home address.

In addition to security vulnerabilities, privacy advocates are more broadly worried about how the data and metadata collected on children through these devices could be misused without clearly articulated privacy policies. In another major incident surrounding the Internet of toys, last year the Electronic Privacy Information Center (EPIC), the Campaign for a Commercial-Free Childhood (CCFC), the Center for Digital Democracy (CDD) and Consumers Union filed a complaint with the FCC against both Genesis Toys and Nuance Communications. Both companies were accused of violating the Children’s Online Privacy Protection Act through their storage children’s audio recordings. The complaint also alluded to a lack of due diligence regarding the security of these toys. For example, it appeared that any phone or tablet within 50 feet of the toys could automatically connect with them. These kinds of vulnerabilities make many of the techniques in a hacker’s arsenal, like phishing, incredibly easy. While the FTC has yet to comment on the complaint, privacy advocates in Germany scored a victory when one of the toys (the My Friend Cayla doll) was banned nationwide given its potential to eavesdrop on families.

Should you avoid smart toys?

The decision of whether or not to purchase a smart toy is a personal one. Be aware that not every smart toy or even smart device is insecure, but unless you know (and understand) the security settings device manufactures use, you should assume the device can be compromised.

It’s also important to note that in today’s world, telling apart smart toys and Internet of things products from disconnected ones is getting slightly harder. As such, we put together some things you should consider when purchasing toys or potential smart products:

1. Verify the features of the toy or product. Those who are having difficulty determining if a toy or product is “smart” should take a look at its features. If the device connects to your smartphone or some other product wirelessly, it’s very likely that it’s a smart device. Another giveaway is if the smart toys and products feature voice controls or voice commands, allowing you to interact with them without a keyboard.

2. Look into the terms of service. If you notice any of the features above included in the functionality of the toy or product you’re looking at, you should consult the manufacturer’s website or terms of service for the product. When you look through the fine print, you should be sure to keep an eye out for any information concerning the data on your smartphone, the toy or other product. Remember that if you see something you don’t agree with, you do have the option to not purchase that product and look into a new toy or device.

3. Only buy smart toys and products from known brands. If you end up purchasing a smart toy, you’ll need to be aware of who you’re buying from. Since smart toys and other smart products are connected to the Internet, you should always think of them as smartphones or computers. You likely wouldn’t buy a phone or a computer from a brand you’ve never heard of or researched, right? The same should be true for toys and other smart products, especially since smart products will constantly need to be patched and secured with updates, like every other piece of technology you own. Big name brands have an incentive to continuously patch the software of their products and maintain a reasonable privacy policy. That’s not to say they’re perfect, but you’re likely to have more recourse if something goes wrong with a product from a major brand.

For more information about the Internet of things and other emerging privacy issues, follow our technology blog.