Is your kid's favorite internet-connected toy broadcasting their personal information without your knowledge? Maybe! Better make sure you know what you're getting into when you buy one, the FBI warns.
The agency this week issued a PSA that "encourages consumers to consider cyber security prior to introducing smart, interactive, internet-connected toys into their homes or trusted environments." The FBI did not call out any specific devices, but argued that the sensors, microphones, cameras, data storage components, and other multimedia capabilities that these toys often sport "could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed."
According to the feds, "toys with microphones could record and collect conversations within earshot of the device. Information such as the child's name, school, likes and dislikes, and activities may be disclosed through normal conversation with the toy or in the surrounding environment."
These toys often require the creation of a user account; perhaps the gadget includes a companion app or a web-based dashboard where you can set preferences. But if such data gets in the wrong hands, either via a company's negligence or a data breach, it "could create opportunities for child identity fraud," the FBI warns.
"Additionally, the potential misuse of sensitive data such as GPS location information, visual identifiers from pictures or videos, and known interests to garner trust from a child could present exploitation risks."
The FBI urged parents to examine user agreements and privacy policies (something we often click through blindly) and investigate whether data is shared with third parties and how it's handled in the cloud. Toys should also only be connected to the internet over secure Wi-Fi networks.
"Communications connections where data is encrypted between the toy, Wi-Fi access points, and Internet servers that store data or interact with the toy are crucial to mitigate the risk of hackers exploiting the toy or possibly eavesdropping on conversations/audio messages," the agency says.
The agency isn't just being paranoid. There have been instances where internet-connected toys caused concern or the companies producing them were hacked. Hello Barbie, for example, was criticized for its security settings, while earlier this year, a German watchdog urged parents to get rid of the My Friend Cayla doll and i-Que robots after an insecure Bluetooth connection made them vulnerable to monitoring by hackers.
A 2015 hack of the VTech Learning Lodge database, meanwhile, exposed names, email addresses, passwords, home addresses, and download histories of 4.8 million adults who purchased products online. The first names, genders, and birthdays of more than 200,000 kids were also exposed.