Peeping Toys? The Disturbing Trend on Internet-Connected Devices

Shot of a baby boy looking shocked while his father holds him

Smart homes – those with appliances that are connected to the internet and accessible via an app – make refilling the fridge, adjusting the temperature and locking the front door so much easier. It makes sense, then, that parents would be interested in “smart toys” for their infants and toddlers. These internet-connected teddy bears, blocks and tablets come equipped with all kinds of nifty features – GPS trackers to locate little ones at all times, cameras so parents can see his or her face and microphones so the toys can respond to spoken words. With the holidays so close, moms and dads everywhere are no doubt thinking getting their infants a smart toy.

And while these devices do have their benefits, security issues may pose risks for babies and families.

An infant sleeping with a teddy bear.Smart toys collect sensitive information that could be hacked.

Is teddy spying on us?

Smart toys come with GPS trackers to provide local suggestions, microphones to respond to speech, sensors to react to motion and many more features. These benefits offer convenience, but the FBI warns that these attributes can be hacked.

For example, cybercriminals could break into a toy’s microphone, forcing it to record any conversations within earshot. A baby’s gurgles might not mean anything, but parents may casually talk about their infant’s name, age, day care or interests. They may even discuss more damaging information, like their own names, home address or occupations. In the hands of the wrong person, these details could be incredibly dangerous.

In addition, most makers of internet-connected devices request sensitive information during the setup process. Parents are directed to give their names, addresses and billing information, in addition to creating a password. Data breaches expose these details to potential criminals, which can lead to fraud and identity theft. What’s more, data like location history could provide clues to a family’s habits. A child may bring his or her GPS-enabled teddy bear everywhere the family goes. Over time, criminals can analyze this information and uncover a family’s home, preferred grocery store, favorite restaurant or other frequently accessed locations.

These ideas aren’t just hypothetical; they’ve happened before. In late 2015, VTech announced the customer database for its Learning Lodge app was hacked. While no credit card information was stored in the database, hackers did obtain customer’s names, encrypted passwords, security questions and answers, email addresses, mailing addresses, IP addresses and download history.

Unfortunately, time hasn’t solved this issue. Network World reported earlier this year that CloudPets suffered a breach exposing more than 800,000 customer accounts. While the company denies that any voice recordings were stolen, this doesn’t change the fact that the FBI warning specifically alludes to this feature.

What should parents get their children for the holidays?

Parents must first consider the risks when thinking of buying an internet-connected toy. If possible, it’s best to read the item or company’s user agreement contracts and privacy practices so mom and dad understand how their data is collected, stored and used. Will usage information be sold to a third party for marketing purposes? Are sensitive details like home addresses encrypted in a protected database? Answering these questions helps parents evaluate the potential dangers of a specific toy.

That said, even the best security measures aren’t impervious, and mom and dad still run the risk of the device itself getting hacked. For those who are concerned about privacy, it may be best to go with an old school toy like regular blocks, dolls and picture books.

Autumn Green is an artist-turned-writer who traded the sweet tea of the south for the deep dish pizza of Chicago. Her favorite subjects include art, culture, design, small business/entrepreneurship and healthful living.