- January 9, 2018
- Posted by:
What you can do to protect your kids from risky toys after the VTech settlement.
Before you give your child a connected toy, play with it first.
That is Travis Smith’s recommendation.
He’s a cybersecurity expert with Tripwire, and he learned first-hand how important his advice is when he bought a new high-tech toy for his child.
“We were interacting with it before we gave it to him,” Smith said.
“A week later I get an e-mail saying, ‘Oh, here’s the conversations your child had,’” he remembered. “I had no idea it was recording anything that we were doing with it.”
It turns out the toy keeps records of your kids’ voices and stores them digitally — a surprise for Smith and his family.
And a risk, if hackers broke into the database, stole the recordings and other details, and traced it back to them.
“We threw it away very quickly,” he said.
The Federal Trade Commission said VTech had security & privacy problems with some products, including the Kid Connect app, used by toys like the InnoTab. Image credit: Archer News.
Toss them out?
Smith’s message is not for you to throw out all of your connected toys.
But he warns, be careful, and take steps to protect your kids.
The latest fine and settlement involving toy giant VTech is a reminder that toy companies may not be keeping your kids’ data safe.
“Your average parent should know what you’re putting in front of your child,” Smith told Archer News. “You shouldn’t just give them an Internet-connected toy and say, ‘Have fun!’”
Screenshot of VTech’s Kid Connect app, part of the company’s security failure, according to the FTC. Image credit: VTech
How do you do it?
Start by learning what the toy does — before you buy.
Google it.
Watch commercials closely, read advertising carefully, and look up YouTube videos of kids playing with the toy, Smith advises.
Check to see if it records voices, videos, personal habits of your child.
Some toys “get to know your kids” by following what they do and say, and building a digital profile on them.
“It’s very easy for an attacker to exploit some of these random websites, these random toys, that are collecting video of your child playing with the toy or recording what the sound of their voice is,” Smith said.
Then cute pictures of your child — along with personal data — are in the hands of a stranger.
“Your child is sweet, but not everybody else in the world is,” Smith said.
“That’d be horrible as a parent to know that some hacker on the other side of the world can get video of your child sleeping or playing,” he added.
Other crooks will sell that data for bitcoin, trading in futures of a different kind — your child’s future, since thieves can grab kids’ info to open credit card accounts, make fake identities and more for years to come.
VTech said its smartwatch used the Kids Connect app, found to have faulty security & privacy issues by the FTC. Image credit: VTech
Next step
When you know how the toy works, check to see what the company does with your child’s data.
Unfortunately, toy companies don’t always make it easy to find out.
“It’s not like a lot of this stuff is on the box so that you would know right away — where it’s extremely clear exactly what’s being collected and how it’s being used,” said Michael Kaiser, executive director of the National Cyber Security Alliance.
Learn as much as you can online before you buy.
Search up the instruction manual.
Request the terms and conditions ahead of time, if necessary.
This is the time you really need to pay attention to those pesky terms, Kaiser said to Archer News.
“Parents really need to do their research on these devices,” he explained. “They actually need to read the terms and conditions. I know a lot of us don’t in the app world and some of these things.”
“But when their kids are involved and these connected toys are involved, they really need to read the privacy policies and terms and conditions of use,” he added. “It just has to be part of their buying experience.”
Screenshot of VTech’s Kid Connect app, part of the company’s security failure, according to the FTC. Image credit: VTech
Confusing
Yeah, you say, but those terms and policies are confusing.
And they are.
Try looking for the word ‘security.’
“See if the manufacturer talks at all about security,” Kaiser said. “See to what degree the manufacturer talks about security and the importance of security.”
For example, VTech — just fined $650,000 over security failures — told parents in its terms and conditions in 2016 that they had to accept the fact that their child’s info could be stolen, sparking anger and backlash.
“All because YOU got hacked I’m suppose to give your company permission to allow my childs info to be out there. Are you nuts?” a Maryland mom posted on VTech’s Facebook page. “Way to go Vtech, you’ve lost a customer…”
Another parent told VTech in June 2017 that they were unhappy with a fee to prove they’re an adult.
“I am extremely upset that my son can not use his VTech tab because even after I spent all that money on it, I still have to HAVE a credit card to pay a small fee to “verify” an adult set it up..that’s ridiculous. so now I have to go and get a credit card that I never wanted just for $1???? That was suppose to be my son’s birthday gift and now he can’t even use it the way he wants to,” Regina Dixon wrote.
Ask questions
If you don’t understand the terms and conditions, you can contact the company and ask questions about your child’s details.
“What’s being collected? How’s it being used?” Kaiser said. “What control do I have over that, if any?”
Does the company say it’s encrypting — or scrambling — the data so it would be hard to use if stolen?
You can check for things like how the company will update your toy’s software — crucial for keeping your toy secure.
Ask, for example, how do you expect to secure this device over time?
Or, if a software patch becomes available, how will you notify me?
What happens to my child’s info if the company goes out of business?
“Consumers drive a lot of this conversation,” Kaiser said. “If people raise their voices about both security and privacy as well, I think this is a good thing and expresses to manufacturers that they have great concern about this.”
VTech’s policy from 2016 telling parents to accept that their child’s info could be hacked. Image credit: VTech
Digital footprint
You can also read reviews to see if other parents have had problem with the toy and how the company responded.
Do an Internet search to see if researchers have found a security hole — or if attackers have already hacked in.
You might find things like this:
—Germany has banned smartwatches for kids
—A popular stuffed animal exposed kids’ voice recordings
—Consumer groups filed complaints against some smart toys over risky behavior
—The FBI warned parents about connected toys
—Families grew frustrated over high-tech toys that flopped on the big day, some in a very big, furry, disappointing way
Researchers found security holes in CloudPets, as well as leaky data. Image credit: Spiral Toys
Also, ask yourself if it is worth it to put your child’s future at risk, since this part of their digital footprint could live on for decades.
A dossier of their habits, their earliest thoughts, their formation, their behaviors over time.
Criminal hackers could steal your child’s info now— and then exploit it for the rest of their lives.
“Some parents aren’t as concerned, right?” said Kaiser. “I think they need to understand, though. That data has a long life.”
“They should have all the information that’s available to them to make an informed decision about whether this is the kind of toy they want to bring into their home,” said Kaiser. “Children can’t make these decision for themselves.”
Your checklist
Here is a checklist to use when you buy a connected toy to help you protect your family: Archer News Parent Checklist for Connected Toys
For more information, you can read about the Children’s Online Privacy Protection Rule — or “COPPA”— on the Federal Trade Commission site.
This FTC post explains the law for parents.
Main image: VTech children’s smartwatch. Image credit: VTech