Connected toys are more popular than ever this holiday season, both with children and cybercriminals.
With this category of toys — including dolls, cars, drones and robotics — expected to grow faster than any other this holiday season, according to data research firm NPD, parents need to pay more attention to privacy and security when they buy and register toys with manufacturers, cybersecurity experts warned.
While websites like Shodan allow strangers to spy on unprotected connected devices, a much bigger problem is more mundane: Child identity theft is already 35 times more common than adult identity theft as recently as 2011, according to Experian.
Children often do not realize they have been hacked for many years, which gives hackers time to take out loans or file fraudulent tax returns in their name, said Javvad Malik, a security expert with cybersecurity firm AlienVault. The vast majority of toy manufacturers do not invest enough in making sure a toy's hardware is secure, and collect far more data than they actually need for marketing purposes, said cybersecurity experts.
"A lot of time manufacturers don't want to spend the money [to keep information safe]," said Corynne McSherry, legal director of digital watchdog the Electronic Frontier Foundation.
Last week, consumer rights groups filed complaints with U.S. and European regulators against the maker of two talking toys — My Friend Cayla and I-Que Intelligent Robot — made by Genesis Toys. Last year, the VTech hack that exposed the data including names, birthdays and addresses of 6.4 million children — the biggest-ever hack targeting kids — and a white-hat hacker revealed vulnerabilities in Mattel's Wi-Fi connected Hello Barbie talking doll.
The problems connected toys often have today include lack of Wi-Fi or Bluetooth security, inappropriate mobile app permissions and chips that expose the toy's security, Pen Test Partners security researcher Ken Munro wrote in a blog.
Parents should be aware what information a toy is transmitting — like video, audio and location — and whether that data is protected, where it is stored, who has access to it and how it is being used.
"If you are trading some of your kid's privacy for a really cool toy, at the very least you should make sure you know what bargain you are making," said McSherry.
When registering devices with manufacturers, do not divulge more information than absolutely necessary, and use a separate email address to register, said Malik. Parents should be aware of what components are built into a toy, including microphones or cameras, and might also want to turn off certain services such as location, and not keep the toy in a child's bedroom, he said.
Some manufacturers will provide security updates for connected toys for just a limited period after they are manufactured — not the purchase date — so parents should make sure they understand the true life cycle of the toy, said Ali Lange, senior policy analyst at the Center for Democracy and Technology.
"I wouldn't recommend people use toys no longer being serviced with security updates," she said. "You're better off turning them into dumb toys and not using them if the software is not secure."