FTC warns Christmas buyers that smart toys are a security risk

Thinking of giving a young person an internet-connected smart toy this Christmas?

If so, the US Federal Trade Commission (FTC) wants you to think very carefully about the hidden and serious security risks you might be handing over with it.

It would be easy to dismiss such advice as glaringly obvious, but the FTC puts its finger on three capabilities that often spell trouble. These are:

  • If the toy has a camera or microphone, what control do owners have over how this operates and where any data is stored?
  • Does the toy send emails or connect to social media?
  • What control do adults have over the device’s management and security?

The FTC advice also reminds buyers to pay attention to bundled services:

  • What sort of privacy and consent policy does the service provider have regarding the toy’s usage (especially if it’s for someone under the age of 13) and the data it generates? And is any data shared?
  • How easy is it to delete personal account data?

We’d add one of our own to this list:

  • Does the vendor have a history of patching known security problems?

There’s a mountain of evidence that many toys that have some or all of the above capabilities will fail on several counts.

‘Smart’ often isn’t

On past evidence, many products are hastily cobbled together at a software level, with the result that both the device and online account security will be terrible. Very few will be patched for weaknesses.

A particularly bad example of the woes of this sector is the sad case of the SMA M2 kids’ smartwatch.

Thousands bought these watches for kids to use as safety trackers when out and about until test organisation AV-Test discovered that hackers could exploit weaknesses to access accounts and find out where kids were, including pictures of what they look like, their names and current locations.

This wasn’t simply a device security problem but a child safety disaster. But security problems like this usually only come to light later, after the product becomes mainstream.

This is just one example of a problem that has beset the whole toy industry: cheap toys built around kindergarten security designs. Because they’re made and sold cheaply, and the industry is poorly regulated, there is no incentive to improve security.

What to do

How do buyers know whether the smart toy they have bought has poor security?

First, run a search on the model and manufacturer to see whether they’ve had security problems in the past.

Next, pay attention to the privacy policy because this, at least, is something that should make explicit any data collection involved with its use.

If this mentions sharing data with third parties, our advice is to walk away. Sharing or selling of children’s data might also contravene data protection regulations such as the US Children’s Online Privacy Protection Act (COPPA).

Keep children safe by spending some time researching the privacy implications of smart toys before buying.