Don’t Buy Internet-Connected “Smart Toys” for Your Kids

Just when you thought talking toys couldn’t get more annoying, new internet-connected toys like the Furby Connect and i-Que Intelligent Robot are smarter than their predecessors, allowing your child to ask questions, get answers, send audio messages, and more. And thanks to unpatched security holes, they’re more dangerous, too.

Not only are many of these toys collecting information that can be stolen, but some of them can even allow attackers to talk to your child through the toys. And sure, lots of internet-connected devices have security problems—but these devices are aimed at your children. Is it really worth the risk to buy them an internet-connected toy that’s only slightly better than a regular toy?

Many Toys Contain Security Holes That Hackers Can Exploit

Computer security is complex. Big tech companies like Google, Microsoft, and Facebook pour tons of resources into keeping your information secure, and doing so is often a moving target. Toy companies do not always take things so seriously.

Technology site Which? found that four out of seven tested smart toys could be easily hacked over Bluetooth, because they just don’t take the necessary steps to secure the connection. The vulnerable toys included the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy, and CloudPets.

With a simple Bluetooth trick, an attacker would merely need to connect to the device with their phone, after which point they could—depending on the toy—control its motion, send an audio file, or even type in a message that the toy would speak out loud to the child. You can imagine the kind of trouble someone standing outside your house could cause by talking to your child through their toy.

And this is just the most recent news story on the subject. Earlier this year, security researcher Troy Hunt found that CloudPets, a line of toys that allows you to send and receive voice recordings, had left their entire database of 2 million recordings—of children and parents—open to the internet, for anyone to grab. VTech, a company that makes toy tablets and laptops for kids, lost tons of personal information for kids and parents (including home addresses) in a public data breach. Germany has even banned kids’ smart watches as “illegal spying devices” after they were shown to be insecure.

A few of these companies have even been sued for being unclear about what data is transmitted to the internet and shared with third parties.

Many of These Companies Do Not Care to Fix Problems

You’d think repeated security breaches and controversy would light a fire under these companies to do better…but so far, that hasn’t been the case. In fact, when many of these issues were discovered, the researchers in question attempted to disclose them to the companies—but many were either brushed off or ignored entirely. For example, here’s what Hasbro had to say to Which? about the Furby vulnerability:

Furby-maker Hasbro told us that it takes our report “very seriously”, but feels that the vulnerabilities we’ve exposed would require someone to be in close proximity to the toy and posses the technical knowledge to re-engineer the firmware.

“We feel confident in the way we have designed both the toy and the app to deliver a secure play experience,” the firm added. “The Furby Connect toy and Furby Connect World app were not designed to collect users’ name, address, online contact information (e.g., user name, email address, etc.) or to permit users to create profiles to allow Hasbro to personally identify them, and the experience does not record your voice or otherwise use your device’s microphone.”

This seems to indicate that Hasbro sees no problem with their insecure toy. Who wants to place bets on whether they’ll fix it?

Other companies were more receptive, and hopefully those devices will receive software updates. But many won’t. After all, just look at how often old Android phones get updates—and those are major tech manufacturers, not toy companies.

The Risk Is Not Worth the Benefit

Look, to an extent, Hasbro is right—an attacker would need to be within Bluetooth range for the Furby exploit to work, and Bluetooth range isn’t particularly long (about 30 feet). They’d also have to know where a child with the toy lives. But Bluetooth can pass through walls, and Bluetooth devices broadcast themselves to everyone with a smartphone—so if someone was determined enough, all they’d have to do is walk down the street waiting for a toy to appear. If you’re in a neighborhood with smaller houses close to the street (or a family-friendly apartment building), it’s easier than you think.

We don’t want to sound like we’re scaremongering here: while it may not be an enormous risk, it’s more likely than your Amazon Echo spying on you, and we are all admittedly more skittish when it comes to kids’ safety than we are our own. Kids are easy targets for ne’er-do-wells on the internet, whether it’s creepy Peppa Pig videos meant to scare them or something more nefarious. It doesn’t matter how big or small the risk is, most of us are going to be conservative—especially when the reward that accompanies that risk is small.

And that’s the real bottom line here. A kidnapper is probably not going to sit outside your house attempting to hack your kids’ toys. But are the toys really novel enough to warrant the risk? Many of these toys are advertised for kids as young as 2 or 3 years old. It seems unlikely that a 2 or 3 year old is going to appreciate the features of an internet-connected smart toy vs any other talking bear.

Whitson Gordon is is the editor-in-chief of How-To Geek. He is also a Windows user, PC builder, metalhead, chopstick-using potato chip eater, and Midwest-to-Southern California transplant. You can follow his nerdy exploits on Twitter and Facebook.