FBI warns parents of dangers of internet-connected toys

The warning follows a report by the European Commission Joint Research Centre earlier this year, which found that action needs to be taken to monitor and control the ‘Internet of Toys’, given concerns about privacy and security.

A recent University of Washington study demonstrated that most children are completely unaware that their smart toys may be storing their data.

The FBI posted a consumer notice on its website, informing parents that internet-connected toys are likely to contain components such as cameras, microphones, data storage and GPS and speech-recognition capabilities which could allow for the collection and disclosure of personal information.

“The FBI encourages consumers to consider cyber security prior to introducing smart, interactive, internet-connected toys into their homes or trusted environments […] These features could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed,” the statement said.

The exposure of information such as date of birth and name could create opportunities for child identity fraud, the FBI warns, while the potential misuse of sensitive information such as location and appearance – collected from embedded cameras  – could present “exploitation risks”.

Given their categorisation as a ‘safe’ object, toys are inviting to talk to, or have unguarded conversations around. This makes them useful for recording personal information about a child, such as their activities and preferences.

The FBI has advised parents to examine user agreement disclosures and privacy practices of toy companies, use encryption when transmitting data from the toy, only to use secure connections, and to research where the child’s data is stored, and to monitor children’s activities with the toys, and to turn the toy off when not in use.

“I think this is the first time the FBI has issued such warning,” said Tod Beardsley, director of research at Rapid7, a cyber-security firm. “A lot of people tend to trust the FBI as a government organisation, so it definitely raises awareness of the risk associated with internet-connected toys.”

Smart, internet-connected toys such as Hello Barbie and CogniToys Dino collect information from play sessions in order to adjust their behaviour to give the child a more realistic, intelligent companion. For instance, Hello Barbie records and stores conversations with the child in order to ‘learn’ about the child’s likes and dislikes and therefore engage in more personalised conversation.

In 2015, VTech, a British company that manufactures tablets for children, suffered a cyber attack which broke into a database storing data from more than 200,000 children. In February 2017, the German Federal Network Agency banned My Friend Cayla, a talking doll. Parents were informed that they were obliged to “destroy” their children’s dolls, as they constituted an illegal concealed espionage device.