TECHNOLOGIES

FBI warns about privacy issues with smart toys

Back in my day, a toy was considered pretty risky if it had a chance of putting a kid's eye out. Toys today are so dangerous that the FBI is issuing warnings against them -- but the dangers are digital, not physical. Having examined the current crop of internet-connected toys, the FBI has concluded that they're an unnecessary risk at best, and a privacy violation waiting to happen at worst.

The information comes from a consumer notice posted by the FBI's Internet Crime Complaint Center entitled "Internet-Connected Toys Could Present Privacy and Contact Concerns for Children." The notice points out that so-called "smart" toys often have "sensors, microphones, cameras, data storage components, and other multimedia capabilities — including speech recognition and GPS options."

In theory, these allow the toys to learn children's play styles and interact with them in a more personalized fashion. In practice, the so-called Internet of Things is a poorly secured mess of security vulnerabilities, and smart toys are no exception.

The first major risk factor is the sheer amount of information that smart toys can collect. Parents usually have to register for an account, which can include names, birth dates, addresses and even pictures of parents, children or both. Some toys can "talk" with children, and as such, collect information by microphone. This microphone can record not only inane childish babble, but also whatever parents are saying in the background. Even a child, by him or herself, could supply information like a name, an address and where he or she goes to school.

More From Tom's Guide

All of this might be OK if smart toys weren't so wildly variable in terms of how well they're secured. Smart toys communicate with the internet either via Wi-Fi or Bluetooth (connected to an iOS or Android device in the latter case), and transmit information either to company servers or to third parties (which perform voice transcription). It's not at all clear what kind of encryption toy companies use to prevent man-in-the-middle attacks, or how secure their servers may be against a data breach.

Furthermore, many of Bluetooth-connected toys don't use pairing PINs, which could let any passing person hijack the connection. This isn't much of a risk if a toy stays at home, but how many children bring favorite toys to school, parks or elsewhere out and about in the world?

In terms of recommendations, the FBI does not condemn any particular brand of smart toy, or say that parents have to eschew them outright. The agency suggests that parents research toys before purchasing them to see whether there are any known security risks, as well as to only use them on secured, private Wi-Fi networks. Parents should read terms of service to see whether the company can share recorded information with third parties, and leave the toy powered off whenever it's not in use.

If all that sounds like too much effort, however, you can always buy regular old inanimate toys. Just be careful if they launch missiles — that’s a timeless, almost quaint risk to your child's health and safety.