Long gone are the days when the biggest worry about ripping open a new electronic toy for the holidays is whether batteries would be included.
Internet technology has imbued the toy industry like never before. Yet along with those advances comes a new set of security risks, says M. Eric Johnson, a widely recognized IT security researcher and dean of Vanderbilt’s Owen Graduate School of Management.
“These new bells and whistles may excite children, and they help toy retailers appeal to an increasingly tech-savvy generation,” Johnson said. “But they also invite a range concerns around hacking, surveillance, and data privacy. In the wrong hands, toys can be used to stalk children or steal a parent’s identity.”
Toys that connect to a wireless network or to a personal computer have become part of the Internet of Things, Johnson said, exposing them to remote attacks from anywhere in the world. He points to several recent examples:
Researchers found vulnerabilities in several smart watches designed for children that allow hackers to track the wearer's location, or eavesdrop on conversations.
A line of fuzzy pets designed to interact with children recently allowed Bluetooth connection without authentication, making it possible for anyone to hack the toy. In addition, the toymaker misconfigured its database, exposing two million voice recordings of kids and their families.
In February 2017, the Germany’s national telecom regulator recommended destroying the microphone in a toy doll that was shown to have security weakness allowing hackers to snoop on families in an effort to steal personal information.
Even popular interactive toys from major US toy companies, such as Hasbro’s Furby Connect, have been shown to exhibit security weaknesses.
Johnson has developed a list of 10 things parents can do to help ensure that these toys aren’t leaving them vulnerable to security flaws:
* Never leave toys on and connected to the internet when not in use.
* Power toys down when not in use to be sure they are not being used for eavesdropping.
* Never allow young children to peruse the internet unsupervised using connected toys.
* Scrutinize any web-based applications that collect sensitive information like addresses, birthdates, or family names. Share as little information as possible – there is almost never a consumer benefit to sharing personal information and it’s impossible to know where it may end up.
* Parents should maintain passwords and user names for toys, games, websites or social media used by children and routinely check them.
* Do your research. Google the toy’s name to search for known security risks. Check FBI alerts. Investigate whether personal information is being stored in the cloud.
* Limit Bluetooth-enabled toys in public places like airports, schools, or malls.
* Only connect toys to secure and trusted WiFi networks.
* Consider home network protection systems that guard against malware, stolen passwords, spying, and other potential hazards from infiltrating internet-enabled devices, including toys.
* Remember that toy makers typically have limited technology budgets and rarely have robust IT security systems in place. Even devices that manufacturers say are secure can be hacked or reverse engineered with enough effort. There are always risks.