Taking a cautious approach to the upcoming deluge of smart toys hitting store shelves for the holiday shopping season, theFBI has issued a public service announcement warning parents about the risks of bringing anInternet-connected toy into the household. Specifically, the FBI is concerned about the amount of personal information that could be "unwittingly disclosed" during normal use of the toy.
Explaining a potential exploit, the FBI writes "Toys with microphones could record and collect conversations within earshot of the device. Information such as the childs name, school, likes and dislikes, and activities may be disclosed through normal conversation with the toy or in the surrounding environment. The collection of a childs personal information combined with a toys ability to connect to the Internet or other devices raises concerns for privacy and physical safety."
This type of collected data opens up the possibility of exploitation when combined with sensors that track GPS location data as well as built-in cameras that take video or photos. This includes toys that connect directly to a private or public Wi-Fi router and toys that connect to smart devices via Bluetooth like an Android or iOS smartphone.
To protect children from any potential privacy issues, the FBI recommends researching a toy's security measures. For instance, does the toy's software useencryption when transmitting data into the cloud? Does the toy manufacturer offer software updates with security patches? Does the toy use authentication protection when connecting to a mobile device overBluetooth?
The FBI alsorecommends researching how data collected by a smart toy will be used by thetoy manufacturer or any potential third party. That includes finding out where the data being collected is stored, who has access to that data, and what happens if your data is exposed due to a potentialcyber-attack.
Beyond research, parents should make sure smart toys are turned off when not in use, especially toys with built-in microphones and cameras. Parents should limit connections tosecured Wi-Fi access points, such as a home's wireless network, rather than public access points. Finally, parents should use strong passwords when setting up accounts and monitor the data being collected, if allowed within the toy's software interface.