A number of popular internet-connected toys including children’s tablets, a talking stuffed bear and smart watches are vulnerable to hacking that could expose information about the child and the parents’ credit cards, according to a new cautionary report released Wednesday by U.S. Sen. Bill Nelson.
Nelson’s report, “Children’s Connected Toys: Data Security and Privacy Concerns,” which he produced as ranking member of the U.S. Senate’s Committee on Commerce, Science and Transportation, reports that a toy tablet maker already has been hacked and other popular smart toy products’ companies appear to have similar vulnerabilities.
The late 2015 hack was at VTech Electronics, a leading manufacturer of electronic learning toys and baby monitors, reportedly expensing the personal information of more than six million children around the globe, including their names, genders and birthdates, as well as photographs and account passwords.
Nelson’s report also specifically cites security flaws found in two other popular children’s toys – Fisher-Price’s Smart Toy Bear and hereO’s GPS watch – which could have exposed not only a child’s personal information, but in the case of the GPS watch, a child’s real-time physical location as well.
A hereO spokesman responded that the vulnerability the senator’s report referenced has been fixed, and that there no longer is any risk associated with the watches.
Nelson’s point was one of caution regardless.
“It’s frightening to think that our children’s toys can be used against them in this way,” Nelson, the Florida Democrat, stated in a press release Wednesday. “The companies that make these toys have to do more to safeguard the parents and children who use them.”
The report warns that there appears to be an increased in hacker activity targeting children, despite heightened federal law to protect children’s privacy.
“A number of factors make children a particularly attractive target for identity thieves,” the report states. “A child’s identity is a “blank slate” that can be fraudulently used over a long period of time without detection. Parents generally do not monitor their children’s credit histories and thus may not know for years that an identity thief has victimized their child. Personal information about children may also be more readily available as children and parents often fail to appreciate the potential consequences of sharing this information through social media or connected toys and devices.”
Speaking for hereO, Matt de Leon of Van Communications in London said the concerns were initially raised by a watchdog group and addressed by the company a year ago, before any of the watches has been sold, and that the company not only considers a child’s safety paramount – the very reason for the products – it continues to take steps to make sure the watches are safe.
“Since addressing the issue, we’ve been working with two world-leading cyber security firms who carry out random penetration tests of the hereO watch, smartphone app and systems to ensure there will never, ever be privacy concerns or a situation where a child is put at risk,” de Leon wrote.
Nelson cautioned parents to consider the risks during the holiday season. According to the report, various internet-connected toys have been shown to collect and thereby put at risk a variety of information, including:
* a child’s name, birthdate, gender, profile picture, chat messages, call logs and internet history;
* parents’ email address, gender, profile picture, chat messages, credit card information, phone umber, wifi password and IP address.
Nelson’s report said other companies’ products also appear to be vulnerable.
He cautioned that, if possible, parents buying any smart toy should learn in advance what personal information the toy will collect, how that information will be used, whether it will be shared with others outside the toy manufacturer, and how long it will be retained. This information can usually be found in the toy’s privacy policy, the long, small-print legal statement many consumers typically ignore.
Parents, Nelson urged, also should change default passwords that come with toys and install any available software updates; and change, if possible, the toy’s default privacy settings to limit the amount of personal information it provides to the manufacturer, allowing only information necessary for the toy to function.