This holiday season, the Internet of Toys brings a new twist to the world of technology and children. While the connectivity and “intelligence” of these new and exciting interactive toys are amazing, they are also their greatest weakness. It’s important to be cognizant of the simple fact that this class of connected device, while cool, cute and cuddly, are still connected devices – and that means all the same rules must apply when it comes to protecting your assets.
Internet-connected toys not only provide another option for attackers, their manufacturers aren’t always as mature or evolved in their cybersecurity practices as other technology companies. Couple those two ideas together and it becomes clear that fun gift can also introduce a significant amount of risk into your home network. After all, an attacker often just needs to find one way into your home to move throughout it and do all kinds of damage. The idea of an attacker using a connected toy’s sensor, camera or microphone to gain entry into your home and wreak havoc – ransomware on your PCs would be one such expected attack – is not that far-fetched anymore.
Beyond that, consider the privacy implications of how these devices operate.
- What information is the device is collecting?
- Does it continually monitor what’s going on around it?
- Do you have the ability to disable the “smart” features of the toy?
- Can the device be updated (it *is* still a rudimentary computer, after all) if a flaw or vulnerability is found in it?
- Do you trust the company that sold the device to store any information it collects ethically and securely?
- Have you read the EULA and TOS to find out exactly what the manufacturer is doing with the data? Are they sending that data to third parties for other use?
Another important consideration is what happens when your child takes her connected teddy bear to her friend’s house and connects it to their open wireless network. Did you just get her friend’s house hacked too? What are the privacy implications in this scenario?
Unlike other stories in the media who may tell you to avoid smart toys entirely, I’m not suggesting we, as consumers, avoid these devices entirely; we will continue to see more and more of these types of toys in the years to come. And of course, your kids will want them. But today’s reality is we are still in the Wild West of IoT devices and we will most likely see improvements and – thinking optimistically – regulatory changes that lead to greater security in the coming years.
The risks around interactive and connected toys are real, and substantial. But, if you decide only to play with companies that make it clear they understand the risks involved and the huge amount of trust you’re giving them by allowing them to store the most intimate information of your children, you may be able to limit your exposure to bad things happening in your home.
The allure of interactive, intelligent companions for our children is real, and perhaps unavoidable in the long term. If you’re still on the hook for a few more gifts this year, you might check out Mozilla’s Privacy Not Included guide for those last minute ideas. Generally speaking though, my advice is to tread lightly and slowly and, if your children are a little older, this might be the perfect opportunity to start talking to them about taking their own privacy seriously.