FBI Issues Privacy Warning for Internet-Connected Toys
By Tracey Dowdy
The statement begins with, “The FBI encourages consumers to consider cyber security prior to introducing smart, interactive, internet-connected toys into their homes or trusted environments.” If you think about it, it makes perfect sense. The same things we depend on our smartphones for – microphones, cameras, GPS, data storage, Bluetooth capabilities and speech recognition – are the exact features present in many of the internet-connected smart toys children play with. Typical play with these devices means that children may reveal their name, where they go to school or other personal information that puts them at risk by hackers.
The US Federal Trade Commission (FTC) filed a complaint last December saying the toys violate the Children’s Online Privacy Protection Act (COPPA). Earlier this year, Germany went so far as to ban the My Friend Cayla doll, labelling it a potential espionage device. The FTC’s complaint mentions the Cayla doll specifically and warns its manufacturer, Genesis Toys, fails to take ‘reasonable security measures’ to prevent an unauthorized individual from using Bluetooth to connect with the toy.
It’s not the first time the vulnerability of smart toys has been questioned. Back in 2015, Chicago-based security researcher Matt Jakubowski hacked Mattel’s Hello Barbie operating system to get access to network names and other data. Hello Barbie only records conversations when a button is pressed but Jakubowski warned hackers could easily bypass the button to gain information.
Intuitive smart toys are just as popular with children as smartphones and devices are with adults. The difference is that phones, laptops and tablets are less vulnerable to hackers because of their native security. Smart toys are newer but lack the appropriate level of security.
Norway’s Consumer Council created a video to demonstrate the risks involved with Cayla and i-Que, another smart-toy created by Genesis. When a child has a conversation with either of the toys, the data doesn’t stay on the doll’s hard drive. Instead, it’s sent to Nuance, a company in Burlington, Massachusetts that specializes in speech recognition technology and whose other clients include intelligence agencies. Nuance can use that information for any purpose they choose, including targeted advertising. For example, Cayla will tell you all about how much she loves Disney movies – Nuance has a commercial partnership with Disney. The recording can be shared with any third-party Nuance chooses and they can change the Terms and Conditions you initially agreed to without notice at any time.
One of the biggest concerns is that with just a few simple steps, anyone with a smartphone can take control of Cayla and iQue. Once they have access, it’s possible to talk and listen remotely without having physical access to the toy.
There’s no need to panic or lay awake nights wondering if the NSA is scouring your smart toy recordings but an informed consumer is a smart consumer. The FBI warning includes suggestions for consumers who are considering buying an internet-connected toy and, if you suspect your child’s toy has been compromised, you can file a complaint with the Internet Crime Complaint Center at www.IC3.gov.
Tracey Dowdy is a freelance writer based just outside Washington DC. After years working for non-profits and charities, she now freelances, edits and researches on subjects ranging from family and education to history and trends in technology. Follow Tracey on Twitter.