sb-eu logo
Story image

NordVPN: Are kids’ smart toys spying on you?

04 Jun 2019

Any Internet-connected toys that have cameras, microphones, or location tracking may put children’s or parents’ privacy and safety at risk.

That could be a talking teddy-bear, a smart car, or a tablet designed especially for kids.

With companies pushing the new toys into the market, security safeguards may go overlooked.

“Parents should be aware of what they are bringing home to their children. Once you connect anything to the internet, it may potentially be exposed to cybercriminals. Once they are in, hackers can use the toy’s microphone or camera to hear and see whatever the toy ‘sees’ and ‘hears.’

"In some cases, some shady guys from the internet can even talk to children,” says NordVPN digital privacy expert Daniel Markuson.

“The problem of the vulnerability of connected toys isn’t new, but it’s snowballing, as more and more smart toys reach the market every year.”

Lately, expert warnings about the vulnerabilities and threats of smart toys are becoming more common.

Just last month, a security flaw was found in the TicTocTrack smartwatch for kids in Australia.

This flaw allowed to track children, eavesdrop on them, and even call them.

Interestingly, the company behind the GPS smartwatch was backed by one of the Australian regional governments.

And this case is not an exception. Security failures were discovered in such well known and advertised toys as Furby Connect, CloudPets, i-Que Intelligent Robot, and Toy-Fi Teddy.

Official state institutions in various countries have even banned some smart toys. For example, in 2017, Germany’s Federal Network Agency banned ‘My Friend Cayla’ dolls and allowed retailers to sell them only if they disengaged its ability to connect to the internet.

The Norwegian Consumer Council gave similar evaluation regarding this toy.

However, the largest known breach that targeted sensitive information about children happened in 2015.

A cyber-attack on the digital toymaker VTech Holdings exposed the data of over 6.4 million people, mostly children.

The hacked data included names, genders, and dates of birth.

Parents can never be too careful when it comes to protecting their child.

There are a few basic rules from NordVPN’s digital privacy expert to follow when choosing a smart toy for a kid:

Do your research

Before buying a toy, search online for reviews and expert comments and check for any complaints or security issues. Reputable companies will likely explain what information they collect and how they use it. Don’t forget to read the manufacturer’s Privacy Policy and Terms of Service on their website.

Don’t give away your information

Some toys and games require registration for full playing experience or to provide updates. When registering, be careful about the information you hand over. The developers need your email to let you know about updates, but other information is mostly unnecessary. If, for example, it requires your kid’s birthday, you can always lie a bit.

Use only secure Wi-Fi

Before connecting the smart toy to a Wi-Fi network, make sure it is secure and has a strong password. Connecting such gadgets to a public Wi-Fi network is not advised, as those are easily hackable. By the way, set a password on the toy as well, if it allows that.

Check the chats

Some smart toys allow kids to chat with other children playing with the same toy or game. Be sure to explain to your kid what personal information is and why they can’t share it. From time to time, check the messages to make sure your children are not talking to strangers pretending to be kids. Reputable manufacturers will offer ways for parents to review the stored information.

Power it off when not used

It is advised to power off the smart toy when not used so that it stops collecting data. If the item has a microphone, throw it in a drawer or chest, where it’s harder to record conversations. And toys with a camera can be covered or placed facing a wall.

Report the breaches

If you noticed something unusual or a toy was compromised by a hacker, be a good citizen and always file a complaint to the state authorities. It might not help you, but it will make the internet a safer place for everyone and will press the manufacturer to stop overlooking security safeguards.

Story image
ExtraHop brings SaaS network detection and response solution to market
"Reveal(x) 360 is the culmination of a multi-year R&D investment to secure data centre, remote sites, and cloud workloads with frictionless deployment and actionable insights that can be securely accessed from anywhere.”More
Story image
Months on, many organisations still don't have secure remote access - report
The report analyses the extent to which businesses were prepared for the sudden shift into remote working due to COVID-19 restrictions, and analyses how organisations have adjusted to support remote workers amidst the COVID-19 pandemic. More
Story image
HackerOne hits $100M milestone with bug bounties
“We have arrived at the point in history where you are ignorant and negligent if you do not have a way to receive useful input from ethical hackers."More
Story image
DigiCert receives top award from Frost & Sullivan thanks to agile approach
DigiCert has received the 2020 Global Company of the Year Award by Frost & Sullivan, with specific focus on its global transport layer security (TLS) certificate market. More
Story image
Digital heists: Attacks on financial institutions rise 238% in 3 months
The pandemic has created a perfect storm for financial cybercrime, with attackers taking advantage of every opportunity they get to target financial institutions.More
Story image
CrowdStrike expands Linux protection, adds machine learning prevention
CrowdStrike says its solution delivers proven breach prevention and visibility from its cloud-delivered platform via a single lightweight agent.More