• United States




What to do about internet-connected toys?

Dec 21, 20173 mins
Consumer ElectronicsSmart Home

The allure of interactive, intelligent companions for our children is real, and perhaps unavoidable in the long term. It's best to tread lightly and slowly.

This holiday season, the Internet of Toys brings a new twist to the world of technology and children. While the connectivity and “intelligence” of these new and exciting interactive toys are amazing, they are also their greatest weakness. It’s important to be cognizant of the simple fact that this class of connected devices, while cool, cute and cuddly, are still connected devices – and that means all the same rules must apply when it comes to protecting your assets.

Internet-connected toys not only provide another option for attackers, their manufacturers aren’t always as mature or evolved in their cybersecurity practices as other technology companies. Couple those two ideas together and it becomes clear, that fun gift can also introduce a significant amount of risk into your home network. After all, an attacker often just needs to find one way into your home to move throughout it and do all kinds of damage. The idea of an attacker using a connected toy’s sensor, camera or microphone to gain entry into your home and wreak havoc – ransomware on your PCs would be one such expected attack – is not that far-fetched anymore.

Beyond that, consider the privacy implications of how these devices operate. Ask yourself some key questions: 

  1. What information the device is collecting?
  2. Is it continually monitoring what’s going on around it?
  3. Do you have the ability to disable the “smart” features of the toy?
  4. Can the device be updated (it *is* still a rudimentary computer, after all) if a flaw or vulnerability is found in it?
  5. Do you trust the company that sold the device to be able to store any information it collects ethically and securely?
  6. Have you read the EULA and TOS to find out exactly what the manufacturer is doing with the data? Are they sending that data to third parties for other use?

Another important consideration is what happens when your child takes her connected teddy bear to her friend’s house and connects it to their open wireless network. Did you just get her friend’s house hacked too? What are the privacy implications in this scenario?

Unlike other stories in the media who may tell you to avoid smart toys entirely, I’m not suggesting we, as consumers, avoid these devices entirely; we will continue to see more and more of these types of toys in the years to come. And of course, your kids will want them. But today’s reality is we are still in the Wild West of IoT devices and we will most likely see improvements and – thinking optimistically – regulatory changes that lead to greater security in the coming years. 

The risks around interactive and connected toys are real, and substantial. But, if you decide only to play with companies that make it clear they understand the risks involved and the huge amount of trust you’re giving them by allowing them to store the most intimate information of your children, you may be able to limit your exposure to bad things happening in your home.

The allure of interactive, intelligent companions for our children is real, and perhaps unavoidable in the long term. If you’re still on the hook for gifts this year, you might check out Mozilla’s Privacy Not Included guide for those last-minute ideas. Generally speaking, though, my advice is to tread lightly and slowly, and if your children are a little older, this might be a great opportunity to start talking to them about taking their own privacy seriously.


Richard Henderson is Global Security Strategist at Absolute, where he is responsible for trend-spotting, industry-watching and idea-creating. He has nearly two decades of experience and involvement in the global hacker community and discovers new trends and activities in the cyber-underground.

He is a researcher and regular presenter at conferences and events, and was lauded by a former US DHS undersecretary for cybersecurity as having an “insightful view” on the current state of cybersecurity. He is also a skilled electronics hacker: he was one of the first researchers in the world to defeat Apple’s TouchID fingerprint sensor on the iPhone 5S.

Richard can be found speaking at industry conferences including Gartner’s Security and Risk Summit; he also provides media commentary for publications ranging from Wired to CSO.

Richard also helped edit colleague and friend Tyson Macaulay’s latest book on IoT Security: RIoT Control: Understanding and Managing Risks and the Internet of Things. He is currently co-authoring a 2nd edition of Cybersecurity for Industrial Control Systems.

The opinions expressed in this blog are those of Richard Henderson and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.