FBI Warns Parents of “Privacy and Contact Concerns” of Smart Toys
The Federal Bureau of Investigation (FBI) has warned parents that the IoT toys could pose privacy and contact concerns for children. The Internet Crime Complaint Center (IC3) division of the FBI has issued a public service announcement (PSA) about the improper security and privacy protections that are offered by the manufacturers of Internet-connected toys.
"The FBI encourages consumers to consider cyber security prior to introducing smart, interactive, internet-connected toys into their homes or trusted environments," the alert says. Since most of the toys feature sensors, microphones, cameras, speech recognition, GPS, and other similar features and components, they put the privacy and safety of children at risk.
"Consumers should examine toy company user agreement disclosures and privacy practices, and should know where their family’s personal data is sent and stored, including if it’s sent to third-party services," the advisory says. The PSA further explains the concerns that the IoT devices could pose for children.
Data collected from interactions or conversations between children and toys are typically sent and stored by the manufacturer or developer via server or cloud service. In some cases, it is also collected by third-party companies who manage the voice recognition software used in the toys. Voice recordings, toy Web application (parent app) passwords, home addresses, Wi-Fi information, or sensitive personal data could be exposed if the security of the data is not sufficiently protected with the proper use of digital certificates and encryption when it is being transmitted or stored.
The public service announcement also cites several examples where IoT toys have exposed parents and children to security risks. In the past few years, we have seen multiple incidents of criminal hackers focusing on Internet-connected toys because not many parents are aware of the lack of privacy protections, falling for the latest trend of smart toys. "Security safeguards for these toys can be overlooked in the rush to market them and to make them easy to use," the advisory reads.
The PSA also adds a number of recommendations for consumers to help them stay protected while using smart toys:
- Only connect toys with trusted WiFi networks
- Use encryption when transmitting data
- Use strong and unique login passwords
- Provide only what is minimally required when inputting information for user accounts
- Ensure to always have these toys running on the latest version
- Turn them off when not in use
Before buying the IoT toys:
- Make sure that the toys will receive firmware and security patches from the manufacturer
- Research where user data is stored and "whether any publicly available reporting exists on their [the company's] reputation and posture for cyber security"
- Read privacy policies of the company to know if the company will notify you in case of a cyberattack, vulnerabilities, and any changes made to the privacy policies
Parents can also file complaints of a poorly-protected toy or a compromise of data with the Internet Crime Complaint Center.