Connected toys may be putting children's personal information at risk leaving them vulnerable to child identity theft or worse, the Federal Bureau of Investigation (FBI) warned parents.
The agency encouraged parents to do their due diligence into the cybersecurity of toys that connect to the internet both directly through Wi-Fi and indirectly via Bluetooth to a mobile device connected to the internet as they often contain sensors, microphones, cameras, data storage components, and other multimedia capabilities, according to the July 17 public service announcement (PSA).
These features enable the toys and their manufacturers to collect sensitive information from voice messages, conversation recordings, physical locations, internet usage patterns, internet addresses/IPs, visual identifiers from pictures or videos, and the child's interests.
Toys that connect via Bluetooth may also present a threat to children because it they don't have authentication requirements such as PINs or passwords when pairing with mobile devices as it could enable communication with the child user.
In addition, companies also collect personal information when children create user accounts leaving information such as names, addresses, dates of birth, and pictures at risk in the event of a breach.
“The cybersecurity measures used in the toy, the toy's partner applications, and the Wi-Fi network on which the toy connects directly impacts the overall user security,” the advisory said. “Communications connections where data is encrypted between the toy, Wi-Fi access points, and Internet servers that store data or interact with the toy are crucial to mitigate the risk of hackers exploiting the toy or possibly eavesdropping on conversations/audio messages.”
The FBI recommends consumers examine toy company user agreement disclosures and privacy practices and know where their family's personal data is sent and stored and if it's sent to third-party services. Parents should also monitor children's use of connected toys and be on the lookout for data breaches involving the toy manufacturers or affiliated firms that may have the child's information.
Some security professionals feel despite the intension, the warning will do little to help raise awareness and that more actions is needed to address the concerns that raised.
“Our government needs to step in and established laws surrounding the collection of big data,” Plixer Chief Executive Officer Michael Patterson told SC Media. “Similar to how the FDA requires a Nutrition Facts label on food packages, consumers need a Collection Facts label that outlines what information is being gathered about them.”
Patterson added that the details should also include how often the data is gathered, how to turn the collection off, where software updates can be found, and what the data is used for beyond vague answers such as “improving customer experience.”
Furthermore he said restrictions should also be placed on the current vague and very one-sided End User License Agreements (EULA) to protect the consumer's privacy.
“I don't know if there was a serious incident behind the scenes that prompted the FBI to take action, but there have been several incidents and it has been building not only in the US, but around the world,” Patterson said.
Some incidents stemming of privacy threats stemming from connected children's toys and their manufacturers include when Germany banned a doll over fears of hacking and data collection, teddy bears were found leaking data spread ransomware, a Fisher-Price smart bear which allowed hacking of children's biographical data, a vulnerable Star Wars toy, and the massive VTech hack that exposed the records of more than five million users.