Internet of Things (IoT)-Protecting Your Children
Author Marta Wang
In partnership with Breezeline
What is IoT?
What is the Internet of things, or more commonly IoT? Look around at your child’s life and you will surely find many devices that are considered IoT. Chromebooks and tablets for school, home automation and assistants, interactive toys, and monitoring and tracking devices all count. What is the Internet of Things? It is often defined as the network of hardware devices with sensors and software to connect and exchange data with other devices and systems over the internet. Or more simply put, think of the internet on your normal computer. IoT is like the internet on your computer but applied to devices. For example, your fitness tracker collects data from you, such as steps, location, and sleep. Since it is a low-power, low-storage device, the data syncs to your smartphone app via Bluetooth at regular intervals and the fitness app sends that data to the cloud. At any time or location, you can retrieve your data from a web browser or app. Gen Alpha and Gen Z grew up with the internet, social media, cell phones, and internet of things. IoT is present in a child’s life in many ways:
Laptops, Chromebooks, and tablets.
Google Home, Amazon Alexa, and Apple HomeKit
Smart toys such as dolls, robots, interactive and conversational toys. that have high tech features like WiFi or Bluetooth connections, microphones, cameras, AI integration, sensors, and more.
These toys can transmit the child's voice, image, and video to external servers where the manufacturer or the service provider can use AI to interact with the child.
Wearables and surveillance devices
While IoT offers education, convenience, metrics, and entertainment, there are also security and privacy concerns as well. Before the days of connected toys, the safety concerns were small parts and choking hazards, sharp corners, lead, or would it fall on my child. These are things that could be figured out with visual inspection and common sense. These days, the dangers and risks of toys are more invisible, revolving around digital security rather than physical security.
Security Concerns with Connected Toys
Inappropriate Communication with Children Studies have found that strangers can communicate with children through toys with unauthenticated Bluetooth or unencrypted communication channels. The Karaoke Microphone and Singing Machine SMK250PP are two singing machines with a microphone that uses Bluetooth to pair with a smartphone. The child downloads the associated app from the play store to find songs to sing along to. An NCC study in 2019 found that those two toys did not require authentication, such as a PIN, when pairing with the smartphone. Meaning that an attacker within Bluetooth range (33 feet) could connect to the toy to send inappropriate or manipulative messages to children (Lewis, 2019). The same NCC study found that the Vtech KidiGear walkie-talkie uses unencrypted communication. There was a security flaw that can be exploited to allow strangers within a 200-meter range to communicate with your child in an inappropriate or dangerous manner. Although the walkie-talkies use the industry-standard AES encryption which protects the communication after the connection is made, within the first few seconds of pairing, a third device within 200 meters could sneak in there to eavesdrop or communicate with children (Lewis, 2019). Toys that lack encryption allow attackers to eavesdrop and collect personal information from the child. Network Attacks
IoT home devices are very vulnerable to network attacks such as spoofing, data breaches, and gaining access to the network. Unlike traditional computers and smartphones with many built-in protections and security updates, IoT devices are low-power and do not have the capacity for advanced security. Often, people take IoT devices out of the box and immediately plug them in without performing a security review. Default settings for IoT are often have Bluetooth discovery mode on, weak default passwords, and no multi-factor authentication. An attacker could access the device through unsecured Bluetooth or Wi-Fi after a quick Google search of the default passwords. The attacker could also exploit vulnerabilities in the devices to gain access to the network and more critical devices. Protect against network attacks by connecting your IoT devices on a guest Wi-Fi network protected by a complex password. Place your critical devices such as computers and phones on your main password-protected Wi-Fi network. Turn off the device and cover any cameras and microphones when not in use. Firmware Vulnerabilities
Firmware is the code that runs on computer hardware to control the device. If the firmware is unsecure, the device can be exploited by cybercriminals to install malware or gain access to the network and more critical devices. On these critical devices, the attacker has access to your personal identifiable information, financial information, medical information, and secrets. It is important to update firmware to ensure safety, reliability, and performance. While phones and computers automatically update firmware, firmware updates for IoT can be non-existent or a manual process. The firmware update instructions are specific to the manufacturer but generally involve connecting the toy to a computer with a USB cable and downloading the update from the manufacturer’s website. Lack of Moderation or blocking inappropriate content on web platform
Many connected toys have an app or a web platform that allows chat or users to upload and download content. The chats may not be moderated, and the swearing may not be blocked. which can result in your child seeing inappropriate language or be victim to cyberbullying. Before being discontinued in 2019, Bloxels was a board game with a web component, where users could create, upload, and play games on a smartphone or tablet. The UK based consumer rights group “Which?” found a lack of moderation and word blockers exposed children to inappropriate language. General Lack of Security
Many connected toys require children or parents to create an online account. The website may lack security features such as strong encryption or strong password requirements. A breach may expose users' data, which can be sold on the dark web. There could be sensitive data exposed such as names, images of children, credit cards, birthdays, and behavioral and lifestyle information. If a smart toy communicates with a child, they are likely to use Artificial Intelligence and language processing to analyze the communication. The communication could be stored on a company server and the consumer is hard pressed to find what the company uses or sells that information. It is possible that the server is not sufficiently protected. The CloudPet toy, a stuffed animal which collected audio messages from children was discontinued after it was discovered that their servers were not password protected, exposing over 800,000 customer emails and passwords as well as audio messages collected by the toy (Hacked Toymaker Didn’t Alert Customers to Data Breach for Two Months, 2017). Privacy and Data Collection
Protecting Your Family
Now that you’ve learned some of the security risks of toys, you may ask yourself, “What can I do to protect my children’s safety and privacy in the IoT world?” Fear not, here are some tips for integrating cybersecurity awareness into your child’s life.
Security is everyone’s responsibility. The responsibility of the parents, children, manufacturer, and safety authorities.
Parents should research the toys to look for negative reviews regarding security concerns.
Parents should be present any time a smart toy is set up and use their best judgment on the amount of supervision their children require.
Have age-appropriate conversations about privacy and security. A few topics to consider:
A similar concept to the old fashioned “Don’t talk to strangers” is “don’t share personal information with a device or a computer”. Children who grew up with the internet may freely give up personal information to use services.
Your child should understand that they have rights. Being surveilled and asking to provide a lot of information should not be the norm.
If you believe a device was breached, the FBI recommends that you submit a complaint on the FBI’s Internet Crime Complaint Center (IC3) https://www.ic3.gov/.
Research before you buy.
Pay special attention to toys with the following:
Requires children to make an account.
Location Tracking or GPS
Learning, AI, interactive, speech and language processing
Many parents find themselves in a situation where they need to quickly buy a toy to appease a child throwing a tantrum or buy a lot of toys for a birthday or holiday with little time to research. These impulse buys will not allow time to research the security flaws and you could bring unsafe toys i