Please don't buy this: smart toys

Please don’t buy this: smart toys

Smart toys attempt to offer what a lot of us imagined as kids—a toy that we can not only play with, but one that plays back. Many models offer voice recognition, facial expressions, hundreds of words and phrases, reaction to touch and impact, and even the ability to learn and retain new information. These features provide an obvious thrill for many children, whose imaginary friend just became a lot more real.

At the low end, smart toys can be as simple as a motion-activated rattle designed with features intended to help with developmental milestones. Higher-end toys can be as engaging as a real-life R2-D2 that will watch Star Wars with you and offer commentary.

But much like other Internet of Things products, smart toys don’t have a great track record of protecting personal information, designing software according to industry best practices, and updating in a timely manner. And we’re in fairly new territory when it comes to young children and the Internet. Suddenly, we have to worry about protecting the digital footprint of our kids before they’re even online as active participants. Not only that, we don’t yet know the repercussions of a person’s data being collected and transmitted online essentially from birth.

As cool as that R2-D2 is, we suggest for the time being that you please don’t buy smart toys.

Why not?

The problems start to creep in with the data collection necessary for a toy to be properly interactive. While simple games and preprogrammed phrases can launch using on board memory or a bluetooth connection to a computer, more complex speech recognition and “remembering” user preferences and conversations generally requires sending input data to a remote server for analysis of the training data set.

This process can be completely benign if all points in the data transmission chain are configured and secured properly. Unfortunately, there is a lot of room in the collection chain for vulnerabilities to creep in.

At the point of collection, decisions need to be made to appropriately sanitize personal information. (Doubly important if the user is a child.) The collected data needs to be transmitted in a manner that’s secure against third-party eavesdroppers. And at the other end of the collection chain, all data needs to be stored on a secure server using patched, up-to-date software, and hashed with a modern, secure algorithm. Smart toy makers have not done well on any of these benchmarks in the past.

Setting privacy issues aside for a moment, software update lag is a common issue with any IoT device. A smart toy may be smart today, but new functionality and bug fixes might be rare or nonexistent to allow for new product releases. Security patches, in particular, vary wildly in frequency across IoT manufacturers. Of the manufacturers we reviewed, only Fisher Price disclosed anything specific about their updates and data collection practices, and no manufacturers provided any information about security features.

Lastly, security design of these products—in particular, their associated mobile apps—is generally not very good. Hong Kong maker VTech Electronics made the news in 2015 for what they described as a “sophisticated” SQL injection attack that resulted in exposure of personal information for millions of children. Breaches happen quite a bit, and the temptation is to dismiss it as something unavoidable. But an outstanding article by Troy Hunt took a look at their security practices and found:

  • No usage of SSL anywhere on their websites
  • Password hashing with a deprecated, easily-cracked algorithm
  • Storage of security questions in plain text
  • Extensive use of Flash

For those not in the know, these are basic, 101-level security design flaws that in total suggest irresponsibility by the company rather than a one-off event by a hyper-competent hacker. (Please read Troy’s followup article, which goes into greater detail on the impact of VTech’s poor design.)

Until companies can be held to a unified standard of foundational security practices, allowing them access to an underaged user in any way is ill-advised.

Maybe buy this instead

Beyond the security issues built into the product out of the box, adult users aren’t always helping the cause, ignoring updates or clicking through agreements without reading privacy notices in detail. Often simple computer hygiene, like changing the default password, could save a family from creepy hacks of their baby monitors and teddy bears.

Sitting down with your toddler and having a conversation about privacy and secure PII best practices probably won’t go well, either. Should your child not be amenable to an IoT ban, Fisher Price makes a series of smart toys that state clearly that no personal information is transmitted via WiFi. Clear, unequivocal statements like that are rare in the IoT space.

However, in 2016, a Fisher Price smart bear was found to be leaking customer and children’s data via an unsecured API. Industry security standards for most IoT products are so low that even the best in a particular class can still be a risk.

For the sake of the children

Smart toys take all of the risk of IoT products and apply them to children. Prior negligence by some companies, as well as the larger impact of security flaws when the user is a child, prompted the FBI to release an advisory on potential issues with smart toys. Until manufacturers operate under a shared security standard with meaningful enforcement, we advise that please, for the sake of the kids—don’t buy this.


William Tsing

Breaking things and wrecking up the place since 2005.