Skip to the content

Taking the Leap to Smart Toys?

There’s no doubt about it; children’s toys are certainly getting much cooler these days. From interactive board games to talking dolls, the internet of toys has really taken off and more and more toys are being delivered with internet connectivity. Typically, connected toys are enabled with Bluetooth or WiFi, via a mobile handset or tablet, and rely on a mobile app to operate them. A few are more social media orientated and operate similarly to messaging apps such as WhatsApp and Snapchat.

Parents generally welcome these toys because they offer new ways of playing, learning, and the possibility of extreme personalisation. At first glance, smart toys may seem great but in the last year security researchers have raised some concerns regarding the lack of security and privacy with some of these toys.

What Are The Risks?

This is not just a heads up about potential child identity theft; there are concerns on a number of levels:

Potential hacking target: Easy ways to turn smart dolls into listening devices using free apps were identified. Researchers were also able to steal personal information directly from the servers that process and store data.

Exploitation risks: the potential misuse of sensitive data such as GPS location information, visual identifiers from pictures or videos, and known interests to gain the trust of a child could present concerns around exploitation.

Marketing manipulation: Toy manufacturers now market their wares to children as young as 3 years old. Smart toys can be used to gather information about your child and your family for targeted marketing advertising purposes. Some manufacturers specify in user agreements that they can share information gathered through the device with third parties.

Confusing terms of service and privacy agreements: we all do it; we tick the Terms of Service and Privacy agreement of these apps without reading the fine print. The long and confusing privacy and user agreements associated with smart toys can make it difficult to know what’s being tracked from day to day.

In addition to the issues identified above; researchers have found these smart toys very easy to hack or takeover. One such example is the popular My Friend Cayla doll.

Cayla is effectively a Bluetooth headset, dressed up as a doll. Like most smart toys, the doll works by referencing a database of common questions and answers contained within the mobile app. If the doll is asked a question which it does not know the answer to, it will reference the Wikipedia API.

The website tells us that there are multiple safeguards in place to make her internet safe; that Cayla can understand almost anything you say by using speech-to-text technology and that she has a “profanity filter” so that if a child were to use a bad word in her company, the doll will give a generic sanitised response, “I don’t want to talk about that”. In reality this is also a local database of around 1,500 “bad-word”s.

During testing researchers report that they identified a number of risks associated with the doll. For example the databases which the doll references are unprotected meaning that these databases could be accessed and the content changed or erased. It was also found that if the doll was out of range of the master device controlling the doll; it could be paired or connected to another device with just one tap.

My Friend Cayla is only one of many smart toys available on the market today. It is important to say at this point that not all manufacturers disregard security. There are some who place huge importance on making sure their smart toys are safe and secure for our children to interact with. Knowing the things to look out for can help you make the right choice when selecting a smart toy for your child.


What parents should check before buying

If you are considering purchasing a smart toy for your child, here are some things to look for:

Research: Research the product online to look for concerns about security or privacy. Keep in mind that if the product is new or hasn’t become popular, you may not get a clear picture of the risks.

Download the App: Before you make the purchase, download the companion app for the toy in question and make yourself familiar with the type of information the manufacturer expects you to provide. Is the toy always listening? Many parents worry, with good reason that smart devices hear too much. For example, Amazon’s Alexa, a device for adults and used by kids, has been criticised for having a microphone that is always on. So, if you say something that sounds like “Alexa,” she springs to life. Smart toys designed for kids, on the other hand, should have a microphone that can only listen when a child actively engages with it.  Check to make sure that there are no hidden charges or additional costs for downloading new content or games to the device. The ability to receive and apply regular software updates from the manufacturer is also an important part of ensuring that the smart toy can remain safe and secure.

Educate: Talk to your children about what types of information are okay to share with the toy and ask them to turn it off when not in use.

Monitor: Keep an eye on how your child uses the toy and make sure it’s turned off during discussions that include sensitive family information.

The technological opportunities made possible through the internet of toys add a whole new dimension to children’s play practices. We need to protect our most vulnerable consumers – our children – from the risks which these smart toys pose so that they can enjoy these next generation toys for the reasons which they were conceived.

Share this post

About the author

Michelle Garrigan (Lead Cyber Ninja)

Michelle Garrigan (Lead Cyber Ninja)

Michelle Garrigan volunteers as Lead Cyber Ninja researcher for CyberSafeIreland. She leads the Information and Cyber Security Programme for Ulster Bank. Michelle is a mother, self- confessed cyber- nerd, speaker and blogger. When she is not having tea with teddy bears and princesses, Michelle is actively speaking about cybersecurity, helping people understand the risks and how to better protect their digital lives.