![](\"https:\/\/media.wired.com\/photos\/5a39bb991b8a2f160a8dd667\/master\/pass\/KidsToys-508410604.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Brian Barrett| Date: Wed, 20 Dec 2017 19:08:01 +0000<\/strong><\/p>\n For last-minute shoppers, <\/span>tech toys hold a special appeal. They\u2019re crowdpleasers, and generally available with two-day shipping\u2014or faster\u2014from any number of online retailers. Stapling on internet connectivity also might make these flashy kids gadgets sound all the more appealing; it\u2019s not just a teddy bear, it\u2019s a machine learning<\/em> teddy bear. On the other hand: don't.<\/p>\n This is not a screed against technology generally, or even tech as it relates to kids; there are plenty of responsible, safe ways for children to navigate and benefit from the internet<\/a>. Instead, it\u2019s an important reminder that toys with an online connection are at their core just another IoT device, often replete with the same ills and vulnerabilities<\/a>. Plus, they have the added horror of occasionally pointing a microphone or camera at your child.<\/p>\n \u201cGenerally, people may not make that leap" that an internet toy is just another part of the IoT landscape, says Tod Beardsley, research director at security firm Rapid7. But hackers who target poorly secured internet-connected devices don\u2019t distinguish between, say, a generic webcam and a Wi-Fi action figure. \u201cA lot of the infrastructure looks like regular old Linux or Android. An attacker doesn\u2019t care; inside it\u2019s just a computer,\u201d Beardsley says.<\/p>\n That makes internet-connected toys prime candidates to join a so-called botnet, an army of zombie machines used by hackers to launch denial-of service-attacks against websites, servers, or other pieces of internet infrastructure. Remember that afternoon last fall when the internet shut down<\/a> for the better part of an afternoon across the US? A botnet<\/a> made that possible.<\/p>\n To which you might say, OK, sure, but that doesn\u2019t sound so bad, at least in terms of how it affects my joke-telling conversational robot for tweens. Which, fair! But there\u2019s a reason the FBI this year issued a warning about internet-connected toys, and it\u2019s not just the threat of getting caught up in botnets.<\/p>\n \u201cThese toys typically contain sensors, microphones, cameras, data storage components, and other multimedia capabilities\u2014including speech recognition and GPS options,\u201d the agency wrote<\/a>. \u201cThese features could put the privacy and safety of children at risk.\u201d<\/p>\n That's not just hypothetical alarmism. When Mattel rolled out its talking, Wi-Fi enabled Hello Barbie doll<\/a> in 2015, the product proved easily hackable; an attacker could have stolen anything from passwords to actual snippets of conversation before the toy giant rolled out fixes. More recently, the Norwegian Consumer Council found that it was trivial<\/a> to track kid-focused smartwatches from multiple companies, and even use them to communicate with children who wear them.<\/p>\n 'Maybe Santa gets to know who\u2019s been naughty and who\u2019s been nice. But not toy companies.'<\/p>\n Marc Rotenberg, EPIC<\/p>\n The list goes on, including real-world consequences. In March, a line of IoT teddy bears called CloudPets left two million messages recorded by the fluffy buddies exposed in an online database<\/a>, where anyone could have listened to them\u2014not to mention sifted through 800,000 emails and passwords that were exposed as well. The list goes on, but you get the point.<\/p>\n Not every internet-connected toy is insecure, just like not every home webcam falls prey to hackers. But the IoT industry in general has a long way to go in terms of overall security, and toys as a subcategory are no exception. Besides, hackers aren\u2019t even your biggest concern\u2014more often than not, the companies themselves are.<\/p>\n Last year, several advocacy groups jointly filed a complaint<\/a> with the Federal Trade Commission against two specific products made by Genesis Toys, My Friend Cayla and i-Que Intelligence Robot, alleging that they \u201cunfairly and deceptively collect, use, and share audio files of children's voices without providing adequate notice or obtaining verified parental consent.\u201d The toys have already been banned in Germany, and stripped from the shelves of Target and Toys R Us. (You can still find them on Amazon, albeit in limited quantity as of this post.) Genesis Toys did not respond to a request for comment.<\/p>\n Privacy advocates say that those two specific complaints speak to broader concerns about the industry.<\/p>\n \u201cCompanies that are selling internet-connected toys are not just profiting from selling the device,\u201d says David Monahan, campaign manager for Campaign for a Commercial-Free Childhood, a group dedicated to ending child-targeted marketing. \u201cThey\u2019re profiting by collecting and monetizing a lot of sensitive information from kids.\u201d<\/p>\n While the Children\u2019s Online Privacy Protection Rule, known as \u201cCOPPA,\u201d puts limits on that sort of data-harvesting, it mostly ensures that parents have to give consent before data collection happens. In the frenzy of setting up a Christmas gift, it\u2019s easy to tap \u2018yes\u2019 without realizing exactly what it is you\u2019ve agreed to.<\/p>\n "Internet connected toys are a privacy nightmare," says Marc Rotenberg, president of the nonprofit Electronic Privacy Information Center. "Maybe Santa gets to know who\u2019s been naughty and who\u2019s been nice. But not toy companies."<\/p>\n If you are<\/em> going to give an internet-connected device\u2014or already bought one and can\u2019t find the receipt to return it\u2014the most important thing you can do is to understand exactly how it works, what it collects, and what it does with that information.<\/p>\n \u201cIf you look at the privacy policy and feel like you\u2019d need a lawyer to understand it, that\u2019s a red flag,\u201d says Monahan.<\/p>\n That diligence extends to securing the device, as well. \u201cInternet toys tend to be replete with default user names and passwords,\u201d says Beardsley, which makes hacking them, well, child\u2019s play. Take the time to customize the device setup, creating a unique password, and also figure out if and how the manufacturer pushes software updates, which often contain critical security patches.<\/p>\n 'If you look at the privacy policy and feel like you\u2019d need a lawyer to understand it, that\u2019s a red flag.'<\/p>\n David Monahan, CCFC<\/p>\n Be aware, too, of how these toys function. \u201cAnything that has an input sensor, like a camera or a microphone, has to be on in order to work as advertised,\u201d says Beardsley. In the same way that an Amazon Echo or Google Home listens constantly\u2014but only sends data back to a server after hearing a \u2018wake word\u2019\u2014a toy that uses a camera to detect colors, say, is likely always watching. And it may not be clear under what circumstances it communicates what it sees and hears over the internet, or what it stores.<\/p>\n In fact, that Echo comparison proves apt for other reasons. Those devices raise privacy hackles as well, but least when you interact with Alexa or Google Assistant<\/a>, you understand the risks. \u201cAs adults, we make decisions around making transactions online, we know what kind of information we\u2019re putting out there that might be vulnerable,\u201d says Monahan. \u201cKids don\u2019t really understand that. They can\u2019t make a conscious choice about sharing that information.\u201d<\/p>\n Those potential issues even led Mattel to cancel a highly touted upcoming product. Its Aristotle AI assistant was designed as a sort of Echo for the stroller set, until the company nixed it in October<\/a> over privacy concerns.<\/p>\n And at that point, what more do you need? When even the toy companies are having second thoughts, it's well past time to pull the plug on connected gifts.<\/p>\n