Internet of Things (IoT)-Protecting Your Children

Author Marta Wang

In partnership with Breezeline

What is IoT?

What is the Internet of things, or more commonly IoT? Look around at your child’s life and you will surely find many devices that are considered IoT. Chromebooks and tablets for school, home automation and assistants, interactive toys, and monitoring and tracking devices all count. What is the Internet of Things? It is often defined as the network of hardware devices with sensors and software to connect and exchange data with other devices and systems over the internet.  Or more simply put, think of the internet on your normal computer. IoT is like the internet on your computer but applied to devices. For example, your fitness tracker collects data from you, such as steps, location, and sleep. Since it is a low-power, low-storage device, the data syncs to your smartphone app via Bluetooth at regular intervals and the fitness app sends that data to the cloud. At any time or location, you can retrieve your data from a web browser or app. Gen Alpha and Gen Z grew up with the internet, social media, cell phones, and internet of things. IoT is present in a child’s life in many ways:

1. Education

   1. Laptops, Chromebooks, and tablets.

2. Smart home

   1. Google Home, Amazon Alexa, and Apple HomeKit

3. Toys 

   1. Smart toys such as dolls, robots, interactive and conversational toys. that have high tech features like WiFi or Bluetooth connections, microphones, cameras, AI integration, sensors, and more. 

   2. These toys can transmit the child's voice, image, and video to external servers where the manufacturer or the service provider can use AI to interact with the child. 

4. Wearables and surveillance devices

   1. Baby monitors

   2. Fitness trackers

   3. Location trackers

While IoT offers education, convenience, metrics, and entertainment, there are also security and privacy concerns as well. Before the days of connected toys, the safety concerns were small parts and choking hazards, sharp corners, lead, or would it fall on my child. These are things that could be figured out with visual inspection and common sense. These days, the dangers and risks of toys are more invisible, revolving around digital security rather than physical security.

Security Concerns with Connected Toys

Inappropriate Communication with Children Studies have found that strangers can communicate with children through toys with unauthenticated Bluetooth or unencrypted communication channels. The Karaoke Microphone and Singing Machine SMK250PP are two singing machines with a microphone that uses Bluetooth to pair with a smartphone. The child downloads the associated app from the play store to find songs to sing along to. An NCC study in 2019 found that those two toys did not require authentication, such as a PIN, when pairing with the smartphone. Meaning that an attacker within Bluetooth range (33 feet) could connect to the toy to send inappropriate or manipulative messages to children (Lewis, 2019). The same NCC study found that the Vtech KidiGear walkie-talkie uses unencrypted communication. There was a security flaw that can be exploited to allow strangers within a 200-meter range to communicate with your child in an inappropriate or dangerous manner. Although the walkie-talkies use the industry-standard AES encryption which protects the communication after the connection is made, within the first few seconds of pairing, a third device within 200 meters could sneak in there to eavesdrop or communicate with children (Lewis, 2019). Toys that lack encryption allow attackers to eavesdrop and collect personal information from the child. Network Attacks

IoT home devices are very vulnerable to network attacks such as spoofing, data breaches, and gaining access to the network. Unlike traditional computers and smartphones with many built-in protections and security updates, IoT devices are low-power and do not have the capacity for advanced security. Often, people take IoT devices out of the box and immediately plug them in without performing a security review. Default settings for IoT are often have Bluetooth discovery mode on, weak default passwords, and no multi-factor authentication. An attacker could access the device through unsecured Bluetooth or Wi-Fi after a quick Google search of the default passwords. The attacker could also exploit vulnerabilities in the devices to gain access to the network and more critical devices. Protect against network attacks by connecting your IoT devices on a guest Wi-Fi network protected by a complex password. Place your critical devices such as computers and phones on your main password-protected Wi-Fi network. Turn off the device and cover any cameras and microphones when not in use. Firmware Vulnerabilities

Firmware is the code that runs on computer hardware to control the device. If the firmware is unsecure, the device can be exploited by cybercriminals to install malware or gain access to the network and more critical devices. On these critical devices, the attacker has access to your personal identifiable information, financial information, medical information, and secrets. It is important to update firmware to ensure safety, reliability, and performance. While phones and computers automatically update firmware, firmware updates for IoT can be non-existent or a manual process. The firmware update instructions are specific to the manufacturer but generally involve connecting the toy to a computer with a USB cable and downloading the update from the manufacturer’s website. Lack of Moderation or blocking inappropriate content on web platform

Many connected toys have an app or a web platform that allows chat or users to upload and download content. The chats may not be moderated, and the swearing may not be blocked. which can result in your child seeing inappropriate language or be victim to cyberbullying. Before being discontinued in 2019, Bloxels was a board game with a web component, where users could create, upload, and play games on a smartphone or tablet. The UK based consumer rights group “Which?” found a lack of moderation and word blockers exposed children to inappropriate language. General Lack of Security

Many connected toys require children or parents to create an online account. The website may lack security features such as strong encryption or strong password requirements. A breach may expose users' data, which can be sold on the dark web. There could be sensitive data exposed such as names, images of children, credit cards, birthdays, and behavioral and lifestyle information. If a smart toy communicates with a child, they are likely to use Artificial Intelligence and language processing to analyze the communication. The communication could be stored on a company server and the consumer is hard pressed to find what the company uses or sells that information. It is possible that the server is not sufficiently protected. The CloudPet toy, a stuffed animal which collected audio messages from children was discontinued after it was discovered that their servers were not password protected, exposing over 800,000 customer emails and passwords as well as audio messages collected by the toy (Hacked Toymaker Didn’t Alert Customers to Data Breach for Two Months, 2017). Privacy and Data Collection

Data collected from children’s toys could be sold to advertisers and third parties. This hardly seems appropriate, given that families may not even know that a seemingly innocent child’s toy did not have their child’s interests in mind. Would you believe that the i-Que Robot, the winner of the 2015 Toy Fair’s coveted Gadget of the Year Award, had many complaints of privacy violations filed to the Federal Trade Commission? The i-Que robot is an intelligent robot that uses speech-recognition to record and analyze the child’s speech and respond back, allowing for intelligent two-way communication with children using Bluetooth, which for several years did not require authentication. The Electronic Privacy Information Center, The Campaign for a Commercial Free Childhood, The Center for Digital Democracy, and Consumers Union filed a complaint to the Federal Trade Commission alleging that the parent companies Genesis Toys and Nuance Communications collects data from children and sends the data to Nuance Communication. The complaint alleges that the voice recordings are stored and used for other purposes beyond the toy’s functionality. Many toys have an insufficient privacy policy that does not explain what data is being collected and how it is used. Examples are the Dogness Smart CAM IPET Robot, a toy dog robot, that connects to your home network via WiFi, has an HD camera and records photos and videos. The privacy policy mostly applies to the website, not devices and does not explain what data is collected or how it is used but users have a right to “request information about your stored data, its origin, its recipients, and the purpose of its collection at no charge” (Privacy Not Included Review: Dogness Ipet Robot. Mozilla Foundation, 2020).

Protecting Your Family

Now that you’ve learned some of the security risks of toys, you may ask yourself, “What can I do to protect my children’s safety and privacy in the IoT world?” Fear not, here are some tips for integrating cybersecurity awareness into your child’s life. 

1. Security is everyone’s responsibility. The responsibility of the parents, children, manufacturer, and safety authorities. 

   1. Parents should research the toys to look for negative reviews regarding security concerns. 

   2. Parents should be present any time a smart toy is set up and use their best judgment on the amount of supervision their children require.

   3. Have age-appropriate conversations about privacy and security. A few topics to consider:

      1. Under the Children’s Online Privacy Protection Act (COPPA), Children under the age of 13 don’t share their personal information on the internet without express approval of parents. Toys that collect personal information from children must inform parents of their privacy policy, ask for parental consent, and give parents the right to have their children’s information deleted. Make a rule that if kids have to create a login account, they have to ask you first. 

      2. A similar concept to the old fashioned “Don’t talk to strangers” is “don’t share personal information with a device or a computer”. Children who grew up with the internet may freely give up personal information to use services.

      3. Your child should understand that they have rights. Being surveilled and asking to provide a lot of information should not be the norm.

      4. If you believe a device was breached, the FBI recommends that you submit a complaint on the FBI’s Internet Crime Complaint Center (IC3) https://www.ic3.gov/. 

2. Research before you buy. 

   1. Pay special attention to toys with the following:

      1. Requires children to make an account.

      2. Default passwords

      3. Bluetooth

      4. Camera

      5. Microphone

      6. Wi-Fi

      7. Location Tracking or GPS 

      8. Learning, AI, interactive, speech and language processing

   2. Many parents find themselves in a situation where they need to quickly buy a toy to appease a child throwing a tantrum or buy a lot of toys for a birthday or holiday with little time to research. These impulse buys will not allow time to research the security flaws and you could bring unsafe toys into your home. If this happens, keep the toy powered off until you research the toys and decide whether to keep or return it.

   3. Teach older kids how to research toys, paying special attention to who can communicate with them or access their data. You can ask them to write a report or presentation. Whether or not they end up getting the toy, this activity will introduce them to the security mindset and help them make good choices.

3. Understand Risk

   1. It is unrealistic for every parent to read every privacy policy and terms & conditions for everything their child interacts with. You can manage your own risk by asking yourself if the pros of the service or entertainment value outweigh the possible privacy violation or surrender of personal data. Pay attention to the permissions required by the apps, or any gut feeling that the product could spy on you or asking for too much personal information.

   2. It’s unrealistic to avoid technology but you should manage your risk through proper use.

      1. Read reviews for privacy and security concerns.

      2. Watch out for recall notices and security updates.

      3. Set up connected devices together and read the manual together. 

      4. Don’t just take things out of the box. If the toy has a default password, change it to a unique password. Look for parental controls.

      5. Turn it off when not in use so it is not vulnerable to exploitation. Reset and remove old IoT devices from your home.

      6. Set up age-appropriate guidelines for your child. Set up rules for what they can do by themselves and when they need supervision or parental permission.

Of course, the best thing you can do to reduce your risk is to reduce the interaction with connected toys.  Play outside and interact with other kids IRL!  Resources for Families

1. Here are some valuable resources to help your family make safe IoT decisions. I would first start with this TrendLabs document “Internet of Things Buyer’s Guide For Smart Parents and Guardians”, which has 8 online privacy considerations when you buy a smart device.  

2. PIRG is an advocate for the public interest providing information on public health and safety topics including internet safety and privacy.

3. Fairplay, formerly known as the Campaign for a Commercial Free Childhood, or CCFC,advocates to protect young people online. Their blogs have articles on surveillance of children, political efforts for young people’s online protection, manipulative advertising and “influencing” to kids, and more. 

4. The mission statement of the Federal Trade Commission is to “Protecting the public from deceptive or unfair business practices and from unfair methods of competition through law enforcement, advocacy, research, and education.” You can sign up for consumer alerts, report fraud, and report identity theft. 

5. Read about the Children’s Online Privacy Protection Act (COPPA) 

6. If you believe a device was breached, the FBI recommends that you submit a complaint on the FBI’s Internet Crime Complaint Center (IC3).

7. Report physically unsafe toys to the United States Consumer Product Safety Commission.

About the Author: Marta Wang is a cybersecurity education manager at CSNP. Marta is SANS GSEC and CompTIA Security+ Certified. She holds a master’s and bachelor’s degree in electrical engineering from the University of Washington and was a hardware security engineer, specializing in secure Field Programmable Gate Arrays, which are at the forefront of IoT. Sources:

• Lewis, M. (2019, December 10). A technical review of connected toy security. NCC Group. Retrieved April 5, 2023.

• Laughlin, A. (n.d.). Kids’ karaoke machines and smart toys from Mattel and Vtech among those found to have security flaws - Which? News. Which? Retrieved April 22, 2023.

• *Privacy Not Included Review: Dogness Ipet Robot. Mozilla Foundation. (2020, November 2). Retrieved April 4, 2023.

• Privacy Policy. Dogness . (n.d.). Retrieved April 22, 2023.

• Hacked Toymaker Didn’t Alert Customers to Data Breach for Two Months. (2017, March 2). Www.vice.com. Retrieved April 10, 2023, from (Hacked Toymaker Didn’t Alert Customers to Data Breach for Two Months, n.d.)

• Rotenberg, M., Gartland, E., Moy, L., & Laughlin. (2016). Complaint and Request for Investigation, Injunction, and Other Relief Submitted by The Electronic Privacy Information Center The Campaign for a Commercial Free Childhood The Center for Digital Democracy Consumers Union Counsel for Petitioners.

• Smart toys: Your child’s best friend or a creepy surveillance tool? (n.d.). World Economic Forum.

• Smart Decisions about Smart Toys. (n.d.). U.S. PIRG Education Fund.