top of page
  • Writer's pictureCSNP

Internet of Things (IoT)-Protecting Your Children

Author Marta Wang

In partnership with Breezeline

What is IoT?

What is the Internet of things, or more commonly IoT? Look around at your child’s life and you will surely find many devices that are considered IoT. Chromebooks and tablets for school, home automation and assistants, interactive toys, and monitoring and tracking devices all count. What is the Internet of Things? It is often defined as the network of hardware devices with sensors and software to connect and exchange data with other devices and systems over the internet.  Or more simply put, think of the internet on your normal computer. IoT is like the internet on your computer but applied to devices. For example, your fitness tracker collects data from you, such as steps, location, and sleep. Since it is a low-power, low-storage device, the data syncs to your smartphone app via Bluetooth at regular intervals and the fitness app sends that data to the cloud. At any time or location, you can retrieve your data from a web browser or app. Gen Alpha and Gen Z grew up with the internet, social media, cell phones, and internet of things. IoT is present in a child’s life in many ways:

  1. Education

  2. Laptops, Chromebooks, and tablets.

  3. Smart home

  4. Google Home, Amazon Alexa, and Apple HomeKit

  5. Toys 

  6. Smart toys such as dolls, robots, interactive and conversational toys. that have high tech features like WiFi or Bluetooth connections, microphones, cameras, AI integration, sensors, and more. 

  7. These toys can transmit the child's voice, image, and video to external servers where the manufacturer or the service provider can use AI to interact with the child. 

  8. Wearables and surveillance devices

  9. Baby monitors

  10. Fitness trackers

  11. Location trackers

While IoT offers education, convenience, metrics, and entertainment, there are also security and privacy concerns as well. Before the days of connected toys, the safety concerns were small parts and choking hazards, sharp corners, lead, or would it fall on my child. These are things that could be figured out with visual inspection and common sense. These days, the dangers and risks of toys are more invisible, revolving around digital security rather than physical security.

Security Concerns with Connected Toys

Inappropriate Communication with Children Studies have found that strangers can communicate with children through toys with unauthenticated Bluetooth or unencrypted communication channels. The Karaoke Microphone and Singing Machine SMK250PP are two singing machines with a microphone that uses Bluetooth to pair with a smartphone. The child downloads the associated app from the play store to find songs to sing along to. An NCC study in 2019 found that those two toys did not require authentication, such as a PIN, when pairing with the smartphone. Meaning that an attacker within Bluetooth range (33 feet) could connect to the toy to send inappropriate or manipulative messages to children (Lewis, 2019). The same NCC study found that the Vtech KidiGear walkie-talkie uses unencrypted communication. There was a security flaw that can be exploited to allow strangers within a 200-meter range to communicate with your child in an inappropriate or dangerous manner. Although the walkie-talkies use the industry-standard AES encryption which protects the communication after the connection is made, within the first few seconds of pairing, a third device within 200 meters could sneak in there to eavesdrop or communicate with children (Lewis, 2019). Toys that lack encryption allow attackers to eavesdrop and collect personal information from the child. Network Attacks

IoT home devices are very vulnerable to network attacks such as spoofing, data breaches, and gaining access to the network. Unlike traditional computers and smartphones with many built-in protections and security updates, IoT devices are low-power and do not have the capacity for advanced security. Often, people take IoT devices out of the box and immediately plug them in without performing a security review. Default settings for IoT are often have Bluetooth discovery mode on, weak default passwords, and no multi-factor authentication. An attacker could access the device through unsecured Bluetooth or Wi-Fi after a quick Google search of the default passwords. The attacker could also exploit vulnerabilities in the devices to gain access to the network and more critical devices. Protect against network attacks by connecting your IoT devices on a guest Wi-Fi network protected by a complex password. Place your critical devices such as computers and phones on your main password-protected Wi-Fi network. Turn off the device and cover any cameras and microphones when not in use. Firmware Vulnerabilities

Firmware is the code that runs on computer hardware to control the device. If the firmware is unsecure, the device can be exploited by cybercriminals to install malware or gain access to the network and more critical devices. On these critical devices, the attacker has access to your personal identifiable information, financial information, medical information, and secrets. It is important to update firmware to ensure safety, reliability, and performance. While phones and computers automatically update firmware, firmware updates for IoT can be non-existent or a manual process. The firmware update instructions are specific to the manufacturer but generally involve connecting the toy to a computer with a USB cable and downloading the update from the manufacturer’s website. Lack of Moderation or blocking inappropriate content on web platform

Many connected toys have an app or a web platform that allows chat or users to upload and download content. The chats may not be moderated, and the swearing may not be blocked. which can result in your child seeing inappropriate language or be victim to cyberbullying. Before being discontinued in 2019, Bloxels was a board game with a web component, where users could create, upload, and play games on a smartphone or tablet. The UK based consumer rights group “Which?” found a lack of moderation and word blockers exposed children to inappropriate language. General Lack of Security

Many connected toys require children or parents to create an online account. The website may lack security features such as strong encryption or strong password requirements. A breach may expose users' data, which can be sold on the dark web. There could be sensitive data exposed such as names, images of children, credit cards, birthdays, and behavioral and lifestyle information. If a smart toy communicates with a child, they are likely to use Artificial Intelligence and language processing to analyze the communication. The communication could be stored on a company server and the consumer is hard pressed to find what the company uses or sells that information. It is possible that the server is not sufficiently protected. The CloudPet toy, a stuffed animal which collected audio messages from children was discontinued after it was discovered that their servers were not password protected, exposing over 800,000 customer emails and passwords as well as audio messages collected by the toy (Hacked Toymaker Didn’t Alert Customers to Data Breach for Two Months, 2017). Privacy and Data Collection

Data collected from children’s toys could be sold to advertisers and third parties. This hardly seems appropriate, given that families may not even know that a seemingly innocent child’s toy did not have their child’s interests in mind. Would you believe that the i-Que Robot, the winner of the 2015 Toy Fair’s coveted Gadget of the Year Award, had many complaints of privacy violations filed to the Federal Trade Commission? The i-Que robot is an intelligent robot that uses speech-recognition to record and analyze the child’s speech and respond back, allowing for intelligent two-way communication with children using Bluetooth, which for several years did not require authentication. The Electronic Privacy Information Center, The Campaign for a Commercial Free Childhood, The Center for Digital Democracy, and Consumers Union filed a complaint to the Federal Trade Commission alleging that the parent companies Genesis Toys and Nuance Communications collects data from children and sends the data to Nuance Communication. The complaint alleges that the voice recordings are stored and used for other purposes beyond the toy’s functionality. Many toys have an insufficient privacy policy that does not explain what data is being collected and how it is used. Examples are the Dogness Smart CAM IPET Robot, a toy dog robot, that connects to your home network via WiFi, has an HD camera and records photos and videos. The privacy policy mostly applies to the website, not devices and does not explain what data is collected or how it is used but users have a right to “request information about your stored data, its origin, its recipients, and the purpose of its collection at no charge” (Privacy Not Included Review: Dogness Ipet Robot. Mozilla Foundation, 2020).

Protecting Your Family

Now that you’ve learned some of the security risks of toys, you may ask yourself, “What can I do to protect my children’s safety and privacy in the IoT world?” Fear not, here are some tips for integrating cybersecurity awareness into your child’s life. 

  1. Security is everyone’s responsibility. The responsibility of the parents, children, manufacturer, and safety authorities. 

  2. Parents should research the toys to look for negative reviews regarding security concerns. 

  3. Parents should be present any time a smart toy is set up and use their best judgment on the amount of supervision their children require.

  4. Have age-appropriate conversations about privacy and security. A few topics to consider:

  5. Under the Children’s Online Privacy Protection Act (COPPA), Children under the age of 13 don’t share their personal information on the internet without express approval of parents. Toys that collect personal information from children must inform parents of their privacy policy, ask for parental consent, and give parents the right to have their children’s information deleted. Make a rule that if kids have to create a login account, they have to ask you first. 

  6. A similar concept to the old fashioned “Don’t talk to strangers” is “don’t share personal information with a device or a computer”. Children who grew up with the internet may freely give up personal information to use services.

  7. Your child should understand that they have rights. Being surveilled and asking to provide a lot of information should not be the norm.

  8. If you believe a device was breached, the FBI recommends that you submit a complaint on the FBI’s Internet Crime Complaint Center (IC3) 

  9. Research before you buy. 

  10. Pay special attention to toys with the following:

  11. Requires children to make an account.

  12. Default passwords

  13. Bluetooth

  14. Camera

  15. Microphone

  16. Wi-Fi

  17. Location Tracking or GPS 

  18. Learning, AI, interactive, speech and language processing

  19. Many parents find themselves in a situation where they need to quickly buy a toy to appease a child throwing a tantrum or buy a lot of toys for a birthday or holiday with little time to research. These impulse buys will not allow time to research the security flaws and you could bring unsafe toys i