Bill Nelson warning about cyber attack vulnerability of toys

Smart Bear

A number of popular internet-connected toys including children’s tablets, a talking stuffed bear and smart watches are vulnerable to hacking that could expose information about the child and the parents’ credit cards, according to a new cautionary report released Wednesday by U.S. Sen. Bill Nelson.

Nelson’s report, “Children’s Connected Toys: Data Security and Privacy Concerns,” which he produced as ranking member of the U.S. Senate’s Committee on Commerce, Science and Transportation, reports that a toy tablet maker already has been hacked and other popular smart toy products’  companies appear to have similar vulnerabilities.

The late 2015 hack was at VTech Electronics, a leading manufacturer of electronic learning toys and baby monitors, reportedly expensing the personal information of more than six million children around the globe, including their names, genders and birthdates, as well as photographs and account passwords.

Nelson’s report also specifically cites  security flaws found in two other popular children’s toys – Fisher-Price’s Smart Toy Bear and hereO’s GPS watch – which could have exposed not only a child’s personal information, but in the case of the GPS watch, a child’s real-time physical location as well.

A hereO spokesman responded that the vulnerability the senator’s report referenced has been fixed, and that there no longer is any risk associated with the watches.

Nelson’s point was one of caution regardless.

“It’s frightening to think that our children’s toys can be used against them in this way,” Nelson, the Florida Democrat, stated in a press release Wednesday. “The companies that make these toys have to do more to safeguard the parents and children who use them.”

The report warns that there appears to be an increased in hacker activity targeting children, despite heightened federal law to protect children’s  privacy.

“A number of factors make children a particularly attractive target for identity thieves,” the report states. “A child’s identity is a “blank slate” that can be fraudulently used over a long period of time without detection. Parents generally do not monitor their children’s credit histories and thus may not know for years that an identity thief has victimized their child. Personal information about children may also be more readily available as children and parents often fail to appreciate the potential consequences of sharing this information through social media or connected toys and devices.”

Speaking for hereO, Matt de Leon of Van Communications in London said the concerns were initially raised by a watchdog group and addressed by the company a year ago, before any of the watches has been sold, and that the company not only considers a child’s safety paramount – the very reason for the products – it continues to take steps to make sure the watches are safe.

“Since addressing the issue, we’ve been working with two world-leading cyber security firms who carry out random penetration tests of the hereO watch, smartphone app and systems to ensure there will never, ever be privacy concerns or a situation where a child is put at risk,” de Leon wrote.

Nelson cautioned parents to consider the risks during the holiday season. According to the report, various internet-connected toys have been shown to collect and thereby put at risk a variety of information, including:

* a child’s name, birthdate, gender, profile picture, chat messages, call logs and internet history;

* parents’  email address, gender, profile picture, chat messages, credit card information, phone umber, wifi password and IP address.

Nelson’s report said other companies’ products also appear to be vulnerable.

He cautioned that, if possible, parents buying any smart toy should learn in advance what personal information the toy will collect, how that information will be used, whether it will be shared with others outside the toy manufacturer, and how long it will be retained. This information can usually be found in the toy’s privacy policy, the long, small-print legal statement many consumers typically ignore.

Parents, Nelson urged, also should change default passwords that come with toys and install any available software updates; and change, if possible, the toy’s default privacy settings to limit the amount of personal information it provides to the manufacturer, allowing only information necessary for the toy to function.


Scott Powers

Scott Powers is an Orlando-based political journalist with 30+ years’ experience, mostly at newspapers such as the Orlando Sentinel and the Columbus Dispatch. He covers local, state and federal politics and space news across much of Central Florida. His career earned numerous journalism awards for stories ranging from the Space Shuttle Columbia disaster to presidential elections to misplaced nuclear waste. He and his wife Connie have three grown children. Besides them, he’s into mystery and suspense books and movies, rock, blues, basketball, baseball, writing unpublished novels, and being amused. Email him at [email protected]


Florida Politics is a statewide, new media platform covering campaigns, elections, government, policy, and lobbying in Florida. This platform and all of its content are owned by Extensive Enterprises Media.

Publisher: Peter Schorsch @PeterSchorschFL

Contributors & reporters: Phil Ammann, Renzo Downey, Roseanne Dunkelberger, A.G. Gancarski, Anne Geggis, Kelly Hayes, Joe Henderson, Ryan Nicol, Jacob Ogles, Scott Powers, Gray Rohrer, Aimee Sachs, Jesse Scheckner, Christine Sexton, Andrew Wilson, Wes Wolfe, and Mike Wright.

Email: [email protected]
Twitter: @PeterSchorschFL
Phone: (727) 642-3162
Address: 204 37th Avenue North #182
St. Petersburg, Florida 33704

Sign up for Sunburn