Explaining a potential exploit, the FBI writes “Toys with microphones could record and collect conversations within earshot of the device. Information such as the child’s name, school, likes and dislikes, and activities may be disclosed through normal conversation with the toy or in the surrounding environment. The collection of a child’s personal information combined with a toy’s ability to connect to the internet or other devices raises concerns for privacy and physical safety.”
This type of collected data opens up the possibility of exploitation when combined with sensors that track GPS location data as well as built-in cameras that take video or photos. This includes toys that connect directly to a private or public Wi-Fi router and toys that connect to smart devices via Bluetooth like an Android or iOS smartphone.
To protect children from any potential privacy issues, the FBI recommends researching a toy’s security measures. For instance, does the toy’s software use encryption when transmitting data into the cloud? Does the toy manufacturer offer software updates with security patches? Does the toy use authentication protection when connecting to a mobile device over Bluetooth?
The FBI also recommends researching how data collected by a smart toy will be used by the toy manufacturer or any potential third party. That includes finding out where the data being collected is stored, who has access to that data, and what happens if your data is exposed due to a potential cyber-attack.
Beyond research, parents should make sure smart toys are turned off when not in use, especially toys with built-in microphones and cameras. Parents should limit connections to secured Wi-Fi access points, such as a home’s wireless network, rather than public access points. Finally, parents should use strong passwords when setting up accounts and monitor the data being collected, if that is allowed within the toy’s software interface.
