What to do about internet-connected toys?

This holiday season, the Internet of Toys brings a new twist to the world of technology and children. While the connectivity and “intelligence” of these new and exciting interactive toys are amazing, they are also their greatest weakness. It’s important to be cognizant of the simple fact that this class of connected devices, while cool, cute and cuddly, are still connected devices – and that means all the same rules must apply when it comes to protecting your assets.

Internet-connected toys not only provide another option for attackers, their manufacturers aren’t always as mature or evolved in their cybersecurity practices as other technology companies. Couple those two ideas together and it becomes clear, that fun gift can also introduce a significant amount of risk into your home network. After all, an attacker often just needs to find one way into your home to move throughout it and do all kinds of damage. The idea of an attacker using a connected toy’s sensor, camera or microphone to gain entry into your home and wreak havoc – ransomware on your PCs would be one such expected attack – is not that far-fetched anymore.

Beyond that, consider the privacy implications of how these devices operate. Ask yourself some key questions: 

1. What information the device is collecting?
2. Is it continually monitoring what’s going on around it?
3. Do you have the ability to disable the “smart” features of the toy?
4. Can the device be updated (it *is* still a rudimentary computer, after all) if a flaw or vulnerability is found in it?
5. Do you trust the company that sold the device to be able to store any information it collects ethically and securely?
6. Have you read the EULA and TOS to find out exactly what the manufacturer is doing with the data? Are they sending that data to third parties for other use?

Another important consideration is what happens when your child takes her connected teddy bear to her friend’s house and connects it to their open wireless network. Did you just get her friend’s house hacked too? What are the privacy implications in this scenario?

Unlike other stories in the media who may tell you to avoid smart toys entirely, I’m not suggesting we, as consumers, avoid these devices entirely; we will continue to see more and more of these types of toys in the years to come. And of course, your kids will want them. But today’s reality is we are still in the Wild West of IoT devices and we will most likely see improvements and – thinking optimistically – regulatory changes that lead to greater security in the coming years. 

The risks around interactive and connected toys are real, and substantial. But, if you decide only to play with companies that make it clear they understand the risks involved and the huge amount of trust you’re giving them by allowing them to store the most intimate information of your children, you may be able to limit your exposure to bad things happening in your home.

The allure of interactive, intelligent companions for our children is real, and perhaps unavoidable in the long term. If you’re still on the hook for gifts this year, you might check out Mozilla’s Privacy Not Included guide for those last-minute ideas. Generally speaking, though, my advice is to tread lightly and slowly, and if your children are a little older, this might be a great opportunity to start talking to them about taking their own privacy seriously.