5 Reasons Why IoT Toys Should Stay off Your Christmas List

It is a merry time for us all, but nobody’s more excited about Christmas unwrapping than our little ones. There’s one thing parents hope their kids don’t expect to find under the tree, though. They may be both cute and smart, but connected toys now pose a great security threat for families everywhere.

This is why you should skip buying them this year, and if nothing changes, the year after that.

1. First, VTech got hacked in November 2015

Ever since masters of tech introduced the world to the Internet of Things, user security has been a big topic and even a bigger issue. If everything’s connected – our cars, our toasters, our smartphones, and all of a sudden our children’s toys as well – then we really cannot control who collects our life data.

What’s even more frightening, we cannot control to which end.

In conversation with Danny Palmer for ZDNet, Mikko Hyppönen, chief research officer at F-Secure, explains why he doesn’t look forward to further evolution of limitless connectivity: “The IoT devices of the future won’t go online to benefit you – you won’t even know that it’s an IoT device”.

This wasn’t the case in holiday season of 2015. VTech has just launched its Kid Connect program, and parents around the globe were very interested in buying a Christmas gift that seemed interactive and convenient. Not only could kids have fun with it, but they could also use it to chat with their parents.

In November,the program was hacked. Even though the person behind the data breach claimed that their true intention was to expose VTech’s bad security, nearly 6,368,509 children and 4,854,209 parents were affected. Along with their names, street, email, and IP addresses, the hacker was able to download the entire chat histories between kids and parents, and to steal their personal photos.

Ever since masters of tech introduced the world to the Internet of Things, user security has been a big topic and even a bigger issue. If everything’s connected – our cars, our toasters, our smartphones, and all of a sudden our children’s toys as well – then we really cannot control who collects our life data.

What’s even more frightening, we cannot control to which end.

In conversation with Danny Palmer for ZDNet, Mikko Hyppönen, chief research officer at F-Secure, explains why he doesn’t look forward to further evolution of limitless connectivity: “The IoT devices of the future won’t go online to benefit you – you won’t even know that it’s an IoT device”.

This wasn’t the case in holiday season of 2015. VTech has just launched its Kid Connect program, and parents around the globe were very interested in buying a Christmas gift that seemed interactive and convenient. Not only could kids have fun with it, but they could also use it to chat with their parents.

In November, the program was hacked. Even though the person behind the data breach claimed that their true intention was to expose VTech’s bad security, nearly 6,368,509 children and 4,854,209 parents were affected. Along with their names, street, email, and IP addresses, the hacker was able to download the entire chat histories between kids and parents, and to steal their personal photos.

And, these were only the early days.  

2. In February 2017, Spy Doll Was Banned from Germany

Two years later, another interactive doll caused distress in Norway, US, and Germany. “My Friend Cayla” was enabled to connect to the internet in order to answer simple queries from kids, very much alike Google Assistant or Amazon’s Alexa. What wasn’t very much alike was the doll’s security system.

Though there weren’t any reported data breaches, The Federal Network Agency, which oversees telecommunication in this European country, was quick to ban the doll from German homes. BBC broke the news, issuing a statement from the Toy Retailers Association that claimed that the toy “offered no special risk”.  

3. Smart Teddy Bears Leaked 800,000 User Credentials the Same Month

This time, the following big incident occurred not two years, but only a few days later. The gravity of situation matched the VTech case, resulting in 800,000 customer credentials and around two million message recordings being hacked, locked in, and held for ransom. The culprit? An innocent teddy bear.

The company behind it was California-based Spiral Toys, which stored a hefty amount of customer data within an online database that, as it turned out, wasn’t properly protected. They remained silent for two months after the incident, and for some reason failed to notify customers about the breach.  

4. Over the Summer, FBI Warned Us About Toy Security Risks

With that in mind, the FBI finally took the public security matter in its hands. Over the summer of 2017, the Federal Bureau of Investigation warned consumers to put their children’s and their own security first, and to examine toy company privacy practices and user agreement disclosures before “introducing smart, interactive, internet-connected toys into their homes and trusted environments”.

5. In November 2017, Hackers Broke Into a Range of Gadgets

This season, the FBI’s official warning seems more important than ever. Toy companies continue to make rash decisions in order to market and sell their products as soon as possible, thus making terrible security oversights, be they intentional or not. A month before Christmas, this is all hugely topical.

To one consumer group, it was also a burning matter. Which? decided to show initiative and raise awareness in a big way – by paying hackers to break not into one database, but into a range of gadgets, including Cloud Pets, Toy-fi Teddy, Furby Connect, and i-Que robot. They did it without any effort.

Unlike the aforementioned Cayla the doll and the Spiral Toys’ teddy bear, the toys in question posed a threat due of the unsecured Bluetooth connection to associated apps. In result, anyone in proximity of 30 meters was able to connect to the toy and play unauthorized audio messages or talk to the kids.

Which? exposed the results of the experiment and immediately wrote to the companies at hand to stop selling controversial toys until the security problems have been resolved. Whether or not they will take the issue seriously remains to be seen. Until then, make your Christmas lists IoT toys-free.