Beware the holiday ‘smart toys’ that spy on your kids

Channel 2's Jovita Moore reports.

Children talk to their toys as if they’re really listening, sometimes confiding in dolls and stuffed animals.

Now toys are actually listening. And remembering.

This holiday season, shoppers can buy “smart toys,” internet connected playthings equipped with microphones, cameras, and the ability to collect reams of data about children.

Consumer advocates warn the toys pose privacy and security risks for kids. Security experts have shown smart toys can be easily hacked, and toy makers have taken heat for major data breaches and sharing personal information with third parties. Examples include a doll banned in Germany for recording children and a teddy bear with a hackable camera.

Smart toys seemingly come to life utilizing “Internet of Things” (IoT) technology that has wirelessly connected coffeemakers, thermostats, and yes, toilets. But smart toys have proven to be particularly vulnerable to cyber attacks. Manufacturers try to keep toy prices low and lack an incentive to add reasonable security mechanisms, said Kayne McGladrey, member of the Institute of Electrical and Electronics Engineers, the world’s largest technical professional organization.

“Toys are basically the poster child for bad security in IoT,” said Bree Fowler, cybersecurity editor at Consumer Reports. “Nest and Google, they have huge security departments. They can actually sink some cash into security when they build things if they choose to. Toys don’t really have that background. They’re not tech companies.”

» Consumer groups warn of Christmas toys that could spy on the family

The FBI warned consumers last year that smart toys raise “concerns for privacy and physical safety” of children. The potential risks range from hackers eavesdropping on kids to stealing a child’s identity. The mining of sensitive data such as GPS location, pictures or videos, and known interests all could aid kidnappers, the FBI wrote.

In January, the Hong Kong-based electronic toy maker VTech agreed to pay $650,000 to settle charges by the Federal Trade Commission after a data breach exposed the personal information of millions of parents and children, including names, gender, birth dates, and email addresses. It was the FTC’s first children’s privacy and security case involving connected toys. And kids might not know the full ramifications of smart-toy data breaches until they apply for loans later in life and learn their identity has been stolen, experts said.

Last year, German officials labeled an innocent-looking smart doll, My Friend Cayla, an illegal “espionage device” and asked parents to disable it. The blond, childlike doll recorded conversations, translated them to text, and shared data with third-parties, according to a complaint filed in 2016 by consumer groups.

This went on despite the toy’s assurances that it would keep things confidential. If you asked the Cayla “can you keep a secret?” the doll said: “I promise not to tell anyone; it’s just between you and me.” The manufacturer, Genesis Toys, which is incorporated in Hong Kong and headquartered in Los Angeles, did not return a request for comment.

Internet-connected smart toys are growing in popularity, with the $6 billion market expected to expand to $18 billion by 2023, according to Juniper Research.

Federal law requires companies to get parental permission before collecting and sharing data of children under 13. The Children’s Online Privacy Protection Act also mandates clear privacy policies. It gives parents access to their children’s data, and enables parents to have the personal information deleted, among other rules.

Consumer groups and security experts have identified other smart toys that raise privacy and security concerns.

Take the Fisher-Price Smart Toy Bear, a teddy bear stuffed with a microphone, camera, speaker, pressure plate, and an accelerometer for knowing when it’s tossed in the air. The toy can have a conversation with a child and is familiar with world events. Mattel, which owns Fisher-Price, said it has stopped manufacturing the toy, but it can still be bought from major retailers including Amazon and Walmart for $55.99.

In April, researchers at Indiana University said they discovered a security flaw that allowed them to gain unauthorized access to the toy bear’s nose camera.

» This 7-year-old makes $22 million a year playing with toys on YouTube

“It is capable of recording children or their families without any warning that the camera is in operation,” the researchers wrote. “There is no light or other indicator for the user to know the camera is in operation. Since the bear does operate as a screen-less phone, the normal notifications that are screen-based are unavailable to protect the user.”

In a statement, a Mattel spokesperson said the company “takes the safety and privacy of our consumers very seriously.”

“We have implemented various security updates since the product was manufactured in 2015,” spokesperson Lisa Fujioka said. “We have no knowledge of any consumer data breach related to this product.”

Earlier this month, the U.S. Public Interest Research Group said parents should be wary of buying Amazon’s popular children’s tablet, the Fire HD Kids Edition. The group cited research from the Mozilla Foundation, which warned that “Amazon gets to know your kid’s personal information from the cradle on.”

The tablet comes equipped with “FreeTime” software that acts as a walled garden for kids, allowing parents to limit what children can see and do on the device. Amazon gathers usage data on kids’ tablet activity so parents can monitor what their children are watching and reading. But the company said it does not share children’s data with third parties. (If parents give kids access to third party apps, however, then those third parties could collect a kid’s data, according to the privacy policy).

“This product is built from the ground up for kids, with kids and parents and their priorities in mind,” said Kurt Beidler, Amazon’s director of kids & family. “It’s been used by over 10 million kids. Parents and kids both love it. We’ve earned parents’ trust by respecting things that they care about. And kids safety, kids education, kids privacy are things that are first and foremost on that list.”

Amazon may ask for a child’s screen name (which can be any word), gender, and birth date to set up a kid’s profile. Parents must contact customer service to delete children’s activity data. In the words of Amazon, the new $129.99 “Fire HD 8 Kids Edition” tablet is “not a toy.”