‘Internet connected toys – be mindful of security’


I hope everyone a safe and peaceful New Year. Many of you will have new toys in your homes, including talking dolls and stuffed animals. Parents usually create user accounts — entering the child’s name, birthday, and location — so their children can interact with toys in ways that seem real and personal. These toys can have conversations with your children and will “learn” information that make interactions fun. But the downside is the toy may be recording information about your family and sending it over the internet, even when no one is playing with it.

Unfortunately, these popular toys are sometimes being sold without good security, endangering children and creating the potential for identity theft. Last winter, Germany banned the “My Friend Cayla” doll because of concerns hackers were using the dolls to spy on families.

Another popular internet-connected toy, CloudPets, had a major security breach. CloudPets are cute stuffed animals that “send and receive messages from anywhere in the world!” They also play interactive games and tell bedtime stories. CloudPets users’ private information, including parents’ email addresses and children’s profile pictures and recordings, were leaked and available on the internet because of the company’s lax security. With the information leaked, it is possible for predators to interact with children by sending messages through a child’s CloudPet.

In July 2017, the FBI issued consumer notices to warn parents about internet connected toys, also called smart toys (ic3.gov/media/2017/170717.aspx). The main safety tip is to make sure you understand how the toy uses and transmits data. Does it have a recording device, location tracking, and a camera? Can the child use it to interact with other people through the Internet? Is the company selling the toy keeping your family’s information secure?

The FBI advises:

• Look up the specific toy online to see if there are any reported security problems.

• Only use trusted and secured internet connections (not Wi-Fi at random coffee shops, hotels, or other public locations) and use strong passwords. Criminals can access the toy when it is unsecured and gather all kinds of information about your child and family.

• Turn the toy’s power completely off when it’s not being used. To make it harder to spy on your family. Put it in a drawer or closet when not using it.

• Keep track of your child’s contact with the toy. If there is a parental function, use it regularly to monitor what’s going on.

• Give the minimum amount of information when registering it, not details like child’s address, school, or birthday.

• Understand the toy’s security when it connects to the internet and use passwords to connect through wi-fi or bluetooth.

• Make sure it has all the latest security patches and updates.

• Read all the disclosures from the company. Find out if you will be notified if the company is hacked or discovers a security vulnerability. (CloudPets did not notify users when they discovered the data breach.) Where is data stored and who has access to it? Who do you contact with questions? If the company does not have a readily accessible security policy, that’s usually a sign to not trust they are keeping your family’s information secure.

If a toy, tablet, phone or anything is connected to the internet, parents and caregivers should be very mindful of when it is off or connected. There is always a risk that any information that goes out will be stolen for use by criminals.

Malinda Williams is the executive director of Community Against Violence, Inc. (CAV) which offers FREE confidential support and assistance for adult and child survivors of sexual and domestic violence, dating violence, and stalking; community and school violence prevention programs; re-education BIP groups for domestic violence offenders; counseling; shelter; transitional housing; and community thrift store. To talk with someone or get information on services available, call CAV’s 24-hour crisis line at (575) 758- 9888. TaosCAV.org.

The Spanish version of this story is here.