Cyber criminals don’t care who they hurt. This was made obvious during the rash of ransomware attacks on healthcare facilities this year, where hackers locked down electronic health records systems, putting patients at grave risk. There is great concern that the proliferation of Internet of Things (IoT) medical devices, such as smart insulin pumps, will enable hackers to go after patients directly, demanding that they pay a ransom to keep their lifesaving devices working. Now, a new threat is emerging: The opportunity for hackers to target children for identity theft by exploiting vulnerabilities in internet-connected smart toys, which were all the rage this holiday season.

Smart Toys and Child Identity Theft

When most people think of identity theft, they imagine hackers stealing adults’ personal data. However, child identity theft is a serious and growing problem that existed even before the introduction of smart toys. A study commissioned by the Identity Theft Assistance Center in 2012 found that 1 in 40 U.S. households with minor children (under age 18) have at least one child whose personal data has been compromised.

Child identity theft is particularly insidious. Child identities can be worth more than adult identities on the black market because thieves can operate under them for years before being detected. An adult may discover that their information has been compromised fairly quickly; say, after their credit card company flags suspicious activity on their card. Child victims, on the other hand, may have no idea their identities have been stolen until they apply for their first job, try to obtain a college scholarship, or attempt to rent their first apartment, only to find that their credit has been ruined before they can even begin building it.

The attraction of smart toys is that they offer a personalized interactive experience, such as dolls that can talk to children by name and remember their birthdays. However, this interaction is made possible by the toy connecting to the internet, just like all other IoT devices, so any information the child or parent gives to the toy – the child’s name, address, and birth date, or the parents’ credit card information – is transmitted over the internet. And, just like all other IoT devices, there are serious questions as to the security of the information smart toys collect and store.

These concerns are not hypothetical. In 2015, hackers breached servers owned by VTech, a manufacturer of smart toys and baby monitors, compromising the personal data of over 5 million parents and about 200,000 children. Senator Bill Nelson (D-FL) cited the VTech breach, as well as security vulnerabilities in other children’s IoT devices, when he called on the Federal Trade Commission to “carefully monitor” smart toys and demanded that manufacturers of these devices properly secure them.

Securing Smart Toys

Some consumer groups are advising that parents steer clear of smart toys until manufacturers can ensure they are secure. In the meantime, if you have purchased a smart toy for your child, you should take the following precautions:

• Immediately change the toy’s default login credentials.
• Limit the amount of information the toy can collect on your child – and on you, as parents’ data is also at risk. Do not give the toy any sensitive personal data, such as addresses or birth dates, and turn off geo-tracking features.
• Do an internet search on the toy’s manufacturer. If they have already experienced a data breach, consider returning the toy to the store.

Smart toy manufacturers have a responsibility to their customers and the public at large to prevent their products from becoming vehicles for child identity theft. Lazarus Alliance agrees with Senator Nelson’s suggestions for smart toy manufacturers, which include the following proactive measures:

• Build strong cyber security into smart toys from the start. Cyber security should be an integral part of a smart toy’s software development lifecycle, not an afterthought.
• Limit the amount of data smart toys collect to only that which is necessary for the toy to operate.
• Retain customers’ personal data only for as long as absolutely necessary.
• Continually reassess the threat landscape and reevaluate the cyber security of individual toys, as cyber threats morph and change over time.

Author's Bio: 

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.

He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.