Ian Kilpatrick, EVP Cyber Security for Nuvias Group, considers the implications of ‘Smart Toys’ for our children.
‘Smart Toys’ can be great fun. They have all sorts of interactive features that children love. But can ‘Smart Toys’ actually be dangerous for your child? At a simple security level, they can be hacked. Time-to-market is a key consideration for most suppliers and security, as we all know from other ‘smart devices’, is not high on the developers’ radar. The market doesn’t seem to demand it and ‘Smart Toy’ suppliers don’t want to raise the topic in their marketing.
However, with ‘Smart Toys’, the problem is much deeper than simply the possibility of the device being hacked, bad though that is. Many of these solutions today involve a relationship between the parent or the child and the vendor. The vendor often requests intrusive information from the get-go. For example, a number of ‘Smart Toys’ that I looked at ask for parent details, email addresses, passwords, child’s name, age, gender, dob, favourite colours and similar information.
While on the one hand this is very helpful for providing nice features such as birthday messages, favourite colour marketing, etc., it is also a scary amount of key data being handed over just for a toy, not only your key data but your child’s as well.
In some cases, suppliers process the data or calls through themselves. In at least one case I know about, that data has been hacked. If the hacked data includes the child’s address, name, age and messages, it’s quite worrying to think what use that information could be put to for by someone with malicious intent.
It’s easy to consider that your child won’t be the victim of a hack and you could be correct. And these toys are fun. However, you are providing key information to the supplier and betting that they will protect it for you and your child. While you may be confident about how you would deal with your data being compromised, it’s about risk management. For me, the limited research that I have done on specific solutions showed that not only were they insecure, but also that the data provided had, in some cases, already been breached.
Despite this, the web sites and the sales material for the toys do not refer to any risks or protection. Maybe, if you want to buy a ‘Smart Toy’ for your child, it might be an idea to wait and see how they pan out. In the meantime, there are good old-fashioned non-smart, but still desirable, toys around that don’t have this unnecessary risk profile. It’s also worth looking at the general risks of IOT devices, such as those in the home, as written about on The Register website where it reviewed the FBI’s advice.