Some smart toys record what your kids say, others are open to hacking: Internet Scambusters #751
Interactive smart toys are a great way to educate and entertain children.
But some of them may be "smarter" than you think -- by recording what your kids say and sending the conversations back to the toymaker without your permission.
In other cases, some smart toys could be used by hackers, as we explain in this week's issue.
Now, here we go...
Smart Toys Pose Threat to Child Privacy and Security
Smart toys, which interact with their young owners, are all the rage these days, and we can only imagine that their popularity is going to continue to rise.
This year's New York Toy Fair was full of them and experts say the market will be worth $8.8 billion within three years.
But these toys carry a very real threat to privacy, which is likely to grow alongside their popularity.
If you're a parent or concerned about protecting other children in your family, you need to know what's happening and how to take steps to protect their privacy.
We've already written in the past about the so-called Internet of Things (IoT), which connects many different types of appliances to the Internet, making them potentially vulnerable to hackers: How the Internet of Things Threatens Your Security.
And we've warned you about smart TVs that can monitor their owners' viewing and send reports back to their manufacturers: How to Prevent Your TV Spying on You.
But in the latest development of this trend, it's been discovered that some interactive talking dolls can capture information about the kids who play with them -- "spy toys," as one consumer site called them.
In one case, conversations were allegedly recorded, translated to text by voice recognition software, and then sent back to the toymaker for analysis, supposedly so that the interactivity could be refined and made more effective.
On the face of it, improving functionality seems not unreasonable, but who's to say what else might be recorded and used?
In another case, reported by the technology website CNET, 2.2 million voice messages between children and their parents via web-connected stuffed animals have been exposed on a website.
"The account information of more than 800,000 users, which included email addresses and easily guessed passwords, was stored on an online database that could be viewed by anyone -- no password required," added CNET.
Security experts claim that the site on which these details, and even some photos, were stored was accessed by hackers who held its contents for ransom. This allegedly happened not once, but twice, and the compromised database is now said to be circulating on the dark web -- the part of the Internet used by crime groups.
CNET went on to list a number of other toys that it said were vulnerable to hackers, some produced by well-known, leading manufacturers.
Several companies involved were later said to have changed their security arrangements.
Two Privacy Worries
So, there are two privacy worries here:
First, there's the possibility of manufacturers getting access to personal information from children without the consent of parents.
This may be an infringement of COPPA -- the Children's Online Privacy Protection Act.
And second, there's the chance that information, even if it's collected with parents' consent, could be vulnerable to hack attacks.
As with other IoT devices, there's also the possibility that hackers may be able to gain direct access to some toys.
Though there's no evidence this has happened yet, one security researcher who discovered the ransom incident said the stuffed animals could easily be turned into remote surveillance devices.
"Anyone within range --10 meters with a normal smartphone -- can just connect to it," he was reported as saying. "Once you're connected you can send and receive commands and data."
You can actually see a one-minute video demonstration of this hack in action here:
What Can You Do?
Is there anything you can do to protect children against this type of vulnerability?
Sadly, at the moment, the answer from a technical viewpoint is “No."
However, being aware of the risk is your first line of defense.
As Motherboard, one of the security websites that exposed the dangers, commented: "(I)f you are a parent who doesn't want your loving messages with your kids leaked online, you might want to buy a good old-fashioned teddy bear that doesn't connect to a remote, insecure server."
That's too simple an answer. As we said earlier, interactive toys and even personalized robots are going to become very much a part of our lives in the coming years.
IoT product makers are being urged to toughen up on their security and at least one complaint about the talking dolls has been filed with the Federal Trade Commission.
In the short term, the best practical solution is for parents to fully audition the interactivity of toys and to let children use them only in their presence.
This may sound a bit like science fiction to you -- we certainly understand that. But the risk of smart toys being smarter than we think and smarter than they should be is here with us today, and here with us to stay.
In the longer term, this isn't just an issue for kids. If you use any kind of listening device, you should be aware that most of them also save voice data. In one recent, serious court case, there was a debate about an Amazon Echo device being a potential witness to an alleged murder.
So, whether it's a smart toy or a smart assistant, remember that old wartime saying -- "Walls have ears," although, in this case, just about everything has ears. So be careful what you say!
Alert of the Week
Let's stay with this week's subject about smart-device spies.
Consumer magazine Consumer Reports has recently published a guide: How to Turn Off Smart TV Snooping Features.
Everyone with an interactive TV should read this.
That's it for today -- we hope you enjoy your week!