Future Tense

The FBI Is Warning Parents About the Risks of Internet-Connected Toys Spying on Kids

My Friend Cayla doll

My Friend Cayla

The FBI sent a warning to parents earlier this week: Your children’s new internet-connected toy could be secretly spying on them.

“These toys typically contain sensors, microphones, cameras, data storage components, and other multimedia capabilities — including speech recognition and GPS options,” the agency wrote in its advisory on Monday, warning that these high-tech toys can be hacked to record video and audio of children unbeknownst to parents.

The FBI says that exposing this kind of information could open the doors to child identity fraud and put kids at risk for exploitation from criminals.

As more and more toys go to market that are packed with microphones and cameras, security researchers are finding ways to remotely break into them and collect sound recordings, video feeds, and other sensitive data is on the rise.

For instance, in February, Germany banned the smart-doll My Friend Cayla from being sold in the country and ordered all the dolls to be taken off the shelves. Germany’s telecomm regulator found that the doll could be hacked to record private conversations transmitted over the doll’s Bluetooth connection.

And back in December, a U.S. privacy watchdog, the Electronic Privacy Information Center, sent a compliant to the Federal Trade Commission about the security risks in My Friend Cayla. In response, Sen. Ed Markey, D-Mass., launched a congressional inquiry. The doll has not been banned in the U.S., though Markey noted that recording private conversations of kids 12 and under without parental consent is a violation of the Children’s Online Privacy Protection Act.

And then there was the case of the cuddly, internet-connected stuffed animals called CloudPets from February. The bear is supposed to allow parents and kids to exchange cute messages recorded by the toy. But it turns out that Spiral Toys, the manufacturer, was storing the personal account information and voice recordings of Cloud Pet owners online in an easy-to-hack database. Two million personal recordings from the Cloud Pets were leaked online, according to Motherboard.

A researcher with the U.K.-based security firm Context later found that the teddy bear could be remotely turned on to collect audio to spy on kids. Though didn’t happen in the wild, hackers could theoretically use it to harass children playing with the doll.

Though this information has been coming out piecemeal, it’s a big deal that the FBI is calling attention to the problem of internet connected toys. “I think this is the first time the FBI has issued such warning,” Tod Beardsley, director of research at cyber security firm Rapid7, told Reuters. He noted that this week’s FBI advisory could do a lot to raise awareness of the dangers of insecure internet-connected children’s toys. (Since parents always check with the FBI before buying their kids new toys, right?)

It’s true that anything connected to the internet can ostensibly be hacked. But that doesn’t mean parents need to abandon smart toys all together. Toys that are packed with artificial intelligence and microphones and internet connections can help teach young people how to code and help families with busy schedules stay connected. Those are all good things.

The FBI recommends that parents do their research before shelling out cash for a new smart toy to make sure that security problems with the device haven’t been reported. It’s also important to only go online with the toys over a secure internet connection and to ask where data collected from the toy is stored and how.

One concrete thing that parents can look out for when shopping for safe internet-connected toys are seals on the box that indicate that the they are compliant with children’s data protection and privacy laws. The Federal Trade Commission, the U.S. regulatory agency that handles consumer protection, has a certification program that allows manufacturers to get a seal to put on their box or website if the product has been found to properly protect children’s privacy. One such seal program, KidSAFE, has three levels of certification that websites and hardware companies can submit their product to for approval.

Of course, as with all new potentially privacy invasive technologies, the other option is to just go analog and stick to regular old teddy bears.