Spies in Your Stocking: Privacy, Smart Toys and the Internet of Things

Matthew Johnson

This year, it may not just be Santa Claus who sees your kids when they're sleeping and knows when they're awake: one of the hottest trends this season is so-called "smart toys", which use the Internet to hold artificially intelligent conversations with kids while they play. Last year's Hello Barbie, one of the first to use this technology, was found to have a number of major security flaws -- including automatically connecting the mobile device to which it was tethered to any Wi-Fi network with "Barbie" in its name. Now two more toys, a doll called My Friend Cayla and the i-Que Intelligent Robot, have been found to collect data in ways that are far more worrying. The toys also use insecure Bluetooth connections to send what children are saying to their parents' Internet-connected devices, which is surprisingly lax security considering the revelations in recent years that tech toys and even baby monitors had been hacked.

Cayla doll
Image from https://lh4.ggpht.com/33_1t_kL2QfzXngty5yAnxCYXbSiOX4bTtfyz7Cuj4GmH04Na9Q9dx0nSkPod1E04nM=h900

"The Internet of Things," electronic devices which are connected to the Internet, is one of the biggest current trends in tech -- one research firm estimates that there will be 26 billion connected devices by 2020 -- but since most of these devices are aimed at adults, from fitness trackers to cars to thermostats, parents might be forgiven for thinking this was at least one technology they didn't have to worry about. The issues arising from these smart toys, however, make it clear that parents might have to think about cybersecurity years before their child's first smartphone.

Parents who are considering buying networked toys or appliances should be aware that these devices may be vulnerable in several ways:

  • Many have poor security features, which can easily permit hackers to infect them with malware, spyware, or take control of them entirely.
  • Because these devices typically connect through your Internet router, malware from an infected device can quickly spread to other devices that use the same network.
  • Because they are often designed to work with online accounts (such as your email or social networking accounts), an infected device can give hackers access to these as well.
  • Even if the devices aren't compromised, many collect kinds of data about you or your kids that you may not be comfortable sharing -- such as fitness trackers that collect health information.

Given these concerns, parents might want to consider the following tips before and after buying Internet-connected devices:

  • Take caution before making your purchase: security experts say that a majority of "smart" devices on the market today are not highly resilient to cyberattacks. Be particularly wary of "cloud-based" tools that can only work when connected to the Internet. Do some research on the product you're considering buying to see if there have been any reports of security problems.
  • Check the privacy policy: make sure you have a clear idea of what happens to the data that the device collects, and what other data it can access by connecting to your online accounts or to other connected devices. In its analysis of smart toys, the Norwegian Consumer Council recommends asking five questions about these policies:
    • Are the terms written in clear language and with a user-friendly layout?
    • Am I informed about who the service may share my data with?
    • Can the service use my data for marketing purposes?
    • Does the service limit the amount of required personal information to what's necessary to provide the service?
    • How does the service use my voice data?
  • Don't buy a smart device, particularly a smart toy, if you can't read the Terms of Service or Privacy Policy.
  • Set a password: make sure that every connected device in your home is protected by a unique password. Most connected devices allow you to set a PIN or password, but many don't prompt you to change it from the factory default.

Example: Use a base phrase in a password, using the first letter from that phrase, and then adding on to that. So for example, take Mary Had A Little Lamb (MHALL), and then add what the password is for (i.e. Mac), and then a significant number on top of that, like an old classroom number. So in this case, the password to the Mac could be MHALLmac203. It’s even more effective if you add punctuation, so your password could become MH@LLm@c203.

  • Use a guest network: create a "guest" network on your Wi-Fi router and have your connected devices connect to that one, rather than your regular network. That way if they get compromised, they won't be able to access the devices that use your main network (like your computer). 
  • Check for firmware updates: like browsers and computer operating systems, makers of connected devices frequently release "patches" and updates to address new security issues they've discovered. Security experts suggest treating connected devices like smoke alarms, setting a date twice a year to make sure that everything is up-to-date.