What should you do now that the FBI is warning parents about connected toys?

It was a surprise for Julie, mother of two kids, and owner of connected toys — fluffy stuffed animals that allow parents to send voice messages through the huggable toy.

“All of a sudden, got an email that our account was hacked,” Julie told Archer News. “I was like, ‘Who would hack a kids’ toy?’”

Too many people, according to the FBI.

The agency just put out a warning for parents, telling them to do a lot more homework before buying the cool-but-potentially-dangerous connected toys flooding stores and online markets.

Crooks can use the toys to steal your child’s identity, open up credit accounts in their name, track them down to your home and even try to hurt them, the FBI said.

The warning did not mention any toy by name.

The FBI’s message: as a parent, you need to protect your kids by researching the toys first, before bringing them home — if you bring them home at all.

The My Friend Cayla doll is an example of a connected toy — with a history. Photo: Forbrukerrådet 

Is it really that bad?

Before you launch your research, you may have questions.

Julie, for example, wonders if the voice recordings she and her husband left for their kids through their toys — and the messages the children sent back — could be a risk.

“What harm would it be to listen to parents’ ‘I love you, good night’?” she asked. “Sweet messages from a parent to a child.”

The FBI said that connected toys can gather more data than you might think — with microphones, cameras, sensors, GPS and more.

A representative of the Norwegian Consumer Council demonstrates how people can use cell phones talk to children through the My Friend Cayla doll. Image from Forbrukerrådet 

“In some cases, toys with microphones could record and collect conversations within earshot of the device,” the alert said. “Information such as the child’s name, school, likes and dislikes, and activities may be disclosed through normal conversation with the toy or in the surrounding environment.”

Some companies take in your child’s date of birth, pictures, address, location and Internet use history — all tools a criminal would find useful for child identity fraud or to gain your child’s trust, according to the FBI.

If they build trust, they can convince children to take pictures of themselves or meet in person.

“The collection of a child’s personal information combined with a toy’s ability to connect to the Internet or other devices raises concerns for privacy and physical safety,” the FBI added.

What can you do?

Check out a toy online before you buy it, the FBI recommended.

You may find that security researchers have already discovered security holes in the very toy your child is begging you to buy.

Julie’s toys — the CloudPets — have a track record.

Researchers found security holes in the CloudPets, as well as a leaky database. Image via Spiral Toys

A researcher found security gaps that could let a bad guy control your kids toy, and another researcher found the toy company’s database exposed on the Internet, allowing people to go in and see customer — and kid —information.

Consumer groups filed complaints over two connected toys in December.

People can easily electronically eavesdrop on your child’s conversation —and talk to them as well — through the My Friend Cayla talking doll, the groups said.

A member of the Norwegian Consumer Council demonstrated how he could talk to your child through the doll, using his cell phone.

The i-Que Intelligent Robot is also not secure, according to the groups.

“I absolutely don’t think parents should buy these toys,” Josh Golin with the Campaign for a Commercial Free Childhood said to Archer News at the time. “The privacy and security concerns are simply too great.”

Consumer groups filed security & privacy complaints against My Friend Cayla and i-Que Intelligent Robot in December. Photo: Forbrukerrådet 

There’s more

The FBI has additional advice for parents:

—Research the toy’s Internet and device connection security measures (does the device need a PIN or password to connect via Bluetooth? does the company encrypt the data?)

—Research if your toys can receive firmware and/or software updates and security patches

—If they can, ensure your toys are running on the most updated versions and any available patches are implemented

—Research where user data is stored – with the company, third party services, or both – and whether any publicly available reporting exists on their reputation and posture for cyber security

Read up

You should also read the disclosures and privacy policies for the toy company and any third-party company involved, the FBI said, looking for these points:

—If the company is victimized by a cyber-attack and your data may have been exposed, will the company notify you?

—If vulnerabilities to the toy are discovered, will the company notify you?

—Where is your data being stored?

—Who has access to your data?

—If changes are made to the disclosure and privacy policies, will the company notify you? Is the company contact information openly available in case you have questions or concerns?

Unfair burden?

Some cybersecurity experts say the FBI warning is not enough.

“Expecting consumers to do their homework before making an Internet connected toy purchase isn’t going to happen,” said Michael Patterson, CEO of Plixer.

For example, will you be able to make sense of a company’s disclosure and privacy policies, if you do the recommended research?

“Our government needs to step in and establish laws surrounding the collection of big data,” he added.

In some countries, governments have taken extreme steps. Germany banned sales of the My Friend Cayla doll in February, calling it a spy device.

The Norwegian Consumer Council took My Friend Cayla apart to investigate the doll’s security. Image from Forbrukerrådet 

If you buy

If you decide the buy the connected toys — or if you already have one, you can take these steps to help protect your family, the FBI said:

—Only connect and use toys in environments with trusted and secured Wi-Fi Internet access

—Closely monitor children’s activity with the toys (such as conversations and voice recordings) through the toy’s partner parent application, if such features are available

—Ensure the toy is turned off, particularly those with microphones and cameras, when not in use

—Use strong and unique login passwords when creating user accounts (e.g., lower and upper case letters, numbers, and special characters)

—Provide only what is minimally required when inputting information for user accounts (e.g., some services offer additional features if birthdays or information on a child’s preferences are provided)

CloudPets advertised the toys as a way to connect families. Image via Spiral Toys

Flops?

On top of the security risks, some parents are finding out their connected toys are high-tech flops.

Three popular tech toys failed families on Christmas morning, according to complaints.

At last check, Julie said her CloudPets were not working either, which to her is more frustrating than the security issues.

“They are awesome toys,” she said. “But the complications and the problems almost don’t make the toy worth it.”