Don’t be stupid when buying smart toys, new Senate report warns

Fisher Price's Smart Toy Bear is mentioned in a Senate report released Wednesday.
Fisher-Price’s Smart Toy Bear has security flaws, a new Senate report says.

You may have heard about smart toys that can allegedly “spy” on families.

The Internet-connected toys My Friend Cayla and i-Que Robot could be listening and recording conversations, say 18 consumer groups which recently a complaint with the Federal Trade Commission.

Now a new Senate report unveiled Wednesday by U.S. Sen. Bill Nelson (D-FL) is cautioning parents about the privacy risk associated with so-called smart toys.

Smart toys, which can interact with a child by connecting to the internet, can become a target for hackers and identity thieves looking to steal a parent or child’s personal information often stored by the toymaker.

The report cites three incidents in which smart toy manufacturers failed to adequately secure a child’s personal information.

One such incident involved a data breach at VTech Electronics, a leading manufacturer of electronic learning toys and baby monitors. The breach, which occurred last year, reportedly exposed the personal information of more than six million children around the globe, including their names, genders and birthdates, as well as photographs and account passwords.

The report went on to cite security flaws found in two other popular children’s toys – Fisher-Price’s Smart Toy Bear and hereO’s GPS watch – which could have exposed not only a child’s personal information, but in the case of the GPS watch, a child’s real-time physical location as well.

These toys, and the companies that make them, often collect and store a wide range of personal information about the consumers who use them, including names, addresses, birthdates, physical locations, credit card information and Wi-Fi passwords to name a few.

The report noted that, if improperly secured, criminals can use the information stored on these devices in a variety of ways. For example: a child’s Social Security number can be used by identity thieves to apply for government benefits, open bank and credit card accounts or apply for a loan. Additionally, a child’s name, home address, online contact information or physical location can be used to contact or even abduct that child.

“It’s frightening to think that our children’s toys can be used against them in this way,” said Nelson, the top Democrat on the Senate Commerce Committee. “The companies that make these toys have to do more to safeguard the parents and children who use them.”

Monday, hereO issued the following statement: “Whilst hereO was included in this report, at no point was any child ever at risk. Firstly, the watch hadn’t even been produced yet, so no children could be wearing them. Secondly, after we were contacted about the potential issue (which related to the smartphone app during its testing phase) in December last year, we fixed it within four hours.


“The safety of children is paramount to absolutely everything we do – it’s why hereO exists, and the reason the hereO watch includes features like child safety zones, breadcrumb trail logs and a panic button. It’s also why we dealt with this situation so quickly, and continually work with leading edge technology partners.


“Since addressing the issue, we’ve been working with two world-leading cyber security firms who carry out random penetration tests of the hereO watch, smartphone app and systems to ensure there will never, ever be privacy concerns or a situation where a child is put at risk.


“We’re very thankful to Rapid7 for highlighting the issue to us a year ago, during our testing phase, and grateful for the valuable support of the global IoT community in our combined and relentless efforts to maintain a bar-none, zero-tolerance environment for the safety and security of our users'” hereO said.

The report recommends the following before purchasing a toy:


  • Learn what personal information the toy will collect, how that information will be used, whether it will be shared and how long it will be retained. This information can usually be found in the device’s privacy policy. If a toy’s privacy policy is too long and confusing, parents may want to reconsider giving that product to their child.


  • Check whether the manufacturer of a particular toy has been the subject of a previous data breach and how the company handled that breach.


After purchasing a toy:


  • Change the default passwords that come with the toy and install any available updates to the toy’s software.


  • If possible, change the toy’s default privacy settings to limit the amount of personal information it provides to the manufacturer. Parents should allow a toy to collect only the information that is necessary for it to properly function.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s