Internet-connected smart toys, a popular holiday gift item, have vulnerabilities that put both children and parents at risk of data breaches and identity theft.

Smart toys, which connect to the internet and offer children a personalized, interactive play experience, were a very popular gift item this past holiday season. However, the interactive features of smart toys – such as the ability of the toy to remember a child’s name and birth date, or even track their location – are made possible because the toys connect to the internet, just like all other IoT devices. Meanwhile, the cyber security of IoT devices and the information they collect are in serious question, and smart toys are no exception.

Smart Toys as Cyber Weapons

Child identity theft is a very serious problem. A 2012 study commissioned by the Identity Theft Assistance Center found that 1 in 40 U.S. households with minor children (under age 18) had at least one child whose personal data had been compromised. Cyber criminals have no moral qualms about targeting even the youngest children. In fact, child identities are worth more than adult identities on the black market because thieves can often use them for many years before the victim realizes what has happened. Adults may discover that their identities have been stolen fairly quickly, such as after their credit card company alerts them of suspicious activity on their card. Minors, conversely, may not find out they have been victimized until they apply to college or attempt to rent their first apartment, only to find that their credit has been ruined.

Smart toys are the perfect vehicles for child identity theft because of the personal information they collect, including children’s full names, gender, street address, and birthday. Parents are at risk as well, since many smart toys require parents to provide their own information and even a credit card number to enable certain features. Additionally, since smart toys connect to parents’ home WiFi, they are subject to the same cyber intrusions as computers, routers, and all other connected devices; hackers could potentially get into a home network through a child’s toy and make their way to the parents’ computers.

Connected toys have already been hacked. In 2015, VTech, a manufacturer of smart toys and baby monitors, was breached, exposing the personal data of over 5 million parents and approximately 200,000 children. Shortly before Christmas in 2016, Senator Bill Nelson (D-FL) cited the VTech hack, as well as security vulnerabilities in other children’s IoT devices, when he called on the Federal Trade Commission to “carefully monitor” smart toys and demanded that manufacturers properly secure them. Among the other issues Senator Nelson’s investigation uncovered were vulnerabilities in a GPS watch manufactured by hereO that allows parents to track their children’s locations and a “Smart Toy Bear” from Fisher-Price that records what children say to it.

What Parents Can Do

Some consumer groups are so alarmed that they have advised parents not to purchase smart toys until manufacturers can properly secure them. At the very least, the following precautions should be taken:

• Change the toy’s default login credentials immediately after purchasing it. Make sure to choose a unique, strong password.
• Do not provide a smart toy with any personal data on yourself or your child, such as addresses or birth dates, and turn off any cameras, voice recording, or location-tracking features.
• Make sure to download and install security updates for the toy’s software as soon as they are released. Be aware that manufacturers may stop supporting the toy with security updates once a new model has been released; at that point, it’s best to disconnect the toy.
• Do an internet search on the toy’s manufacturer. If they have already experienced a data breach, consider returning the toy to the store.

What Manufacturers Should Do

A good start would be for manufacturers to adopt Senator Nelson’s proactive cyber security suggestions for smart toy manufacturers, such as:

• Limiting the amount of data collected to only that which is absolutely necessary for the toy to operate, and retaining children’s and parents’ personal data only for as long as absolutely necessary.
• Making cyber security an integral part of a smart toy’s software development lifecycle, not an afterthought. Smart toys should have strong cyber security measures built into them from the beginning.
• Continually reassessing the threat landscape and reevaluating the cyber security of individual toys, as the cyber threat landscape is dynamic, and new threats are continually emerging.

Smart toys and other connected devices used by parents and children are here to stay. The manufacturers of these devices have a responsibility to their customers and the general public to ensure that their products cannot be used as cyber weapons and vehicles for child identity theft.

Author's Bio: 

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.

He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.