Internet-Connected Smart Toys Pose Cyber Security Risk

  • iReviews
  • May 28,2017
Advertising Disclosure: Many or all of the companies featured provide compensation to us. These commissions are how we maintain our free service for consumers. Compensation, along with hours of in-depth research, determines where & how companies appear on our site.

The cyber security nightmare continues and it has a new target: connected smart toys. Whether it’s the Anki Cozmo, Robo Wunderkind, Lego Boost or the Sphere 2.0 – an entirely new class of revolutionary smart toys are hitting the consumer marketplace. As much as these toys provide an entirely new way to engage children in the digital world, they continue to be vulnerable to hackers and pose a significant security risk.

The Importance of Firewall Protection

Spiral Toys, the creator of the CloudPets toy line, had close to 800,000 user accounts and an additional two million voice message recordings exposed online. Discovered by search engine Shodan and verified by Motherboard, Spiral – the company known for its connected Teddy Bears – compromised an entire lot batch of its customers due to an unsecured internal database.

 

Without the protection of the firewall or an encrypted password, Spiral Toys joins a list of manufacturers whose databases have been an easy target for online hackers. From Cayla Doll to Hello Barbie to the toys from VTech, the inventory of unsecured smart toys is growing by leaps and bounds.
According to a recent article in The Verge, the uptick in unsecured databases comes down to two things: money and lack of cyber security resources. “It only takes one little mistake on behalf of the data custodian – such as misconfiguring the database security – and every piece of data they hold on you and your family can be in the public domain in mere minutes,” Security Researcher Troy Hunt, who exposed the database, said on his blog site.

Compromised Databases

When referenced about the Spiral Toys security breach, Hunt pointed to a failing parent company as the reason behind the database compromise. “The company is worth less than half a cent per share.” To build a secure database, it takes a sophisticated team dedicated to safeguarding information with the latest technology. Buyer beware: if the e-commerce company you’re about to place an order with is struggling financially, there’s a pretty good chance that your information may end up in a public domain without you knowing.

 

In the case of Hello Barbie, the software maker scrambled to fix major security bugs during the 2016 holiday shopping season. Researchers found that the internet-connected doll from Mattel could have both its application and cloud server hacked – giving the public access to recordings of children’s conversations with Barbie. The flaw would have eventually allowed hackers to access the home addresses of parents who purchased the doll. In November (2015), hackers stole information from more than 6.4 million children who used the Learning Lodge app store for VTech toys.

Do Your Research

The advice to safeguard you and your children from a future cybersecurity threat: research into the company that manufactures the smart toy. If there’s a companion app that comes with the smart toy, make sure that you not only fully understand the privacy disclosure but more importantly, never give parental permission to collect data on household data or your child’s preferences. In addition, it’s important to research what the company does with their information they collect online. Are they selling consumer buying habits to third parties? And does the data stored on the device stay there or is it available to external parties?

 

Finally, keep your smart toys safe from online predators by purchasing one of the “5 Best Home Firewalls of 2017“. As iReviews mentions in its comparison article, there are literally thousands of different ways that folks with malicious intentions can access your devices and potentially steal valuable information.