FBI Warns About Internet-Connected Toys' Security Risk

Do you want your kid's Barbie doll or stuffed animal to spy on you? Probably not, and that's why the FBI has warned consumers to consider their child's privacy and cyber security before "introducing smart, interactive, internet-connected toys into their homes or trusted environments."

A rising number of toys have been connected to the internet. Mattel actually made a smart Barbie doll, CloudPets made internet-connected stuff animals, and other companies have turned rudimentary playthings into Internet of Things (IoT) devices. The problems occur when companies don't secure these products--that smart Barbie can be hacked, and CloudPets' stuffed animals leaked private information and voice recordings.

The FBI said in a public service announcement that these toys "typically contain sensors, microphones, cameras, data storage components, and other multimedia capabilities – including speech recognition and GPS options." Gone are the days of toys being expensive bits of molded plastic; now they're basically miniature computers that happen to be shaped like toys. Parents are going to have to adapt to this change in playtime.

But how? Well, according to the FBI, by paying much more attention to everything about a toy. The agency said:

Consumers should examine toy company user agreement disclosures and privacy practices, and should know where their family’s personal data is sent and stored, including if it’s sent to third-party services. Security safeguards for these toys can be overlooked in the rush to market them and to make them easy to use. Consumers should perform online research of these products for any known issues that have been identified by security researchers or in consumer reports.

That's a lot of research to devote to one toy. Many people will probably see something on a store shelf--or cave after their child sees something--and buy it without thinking to examine user agreement disclosures and privacy practices. These people are busy raising their children; they shouldn't be expected to become security experts whenever their kid asks for the latest-and-greatest toy. Yet that's what the FBI recommends.

This problem isn't limited to toys. Many objects are being connected to the internet, and we've seen time and time again that companies don't take the necessary precautions to secure them. Politicians, digital rights groups, and other organizations have pushed for change, but right now buying an IoT device is like walking through a minefield. You probably shouldn't, but if you do, you'll have to keep your wits to emerge unscathed.

You can find more information about protecting your and your child's privacy when purchasing smart toys in the FBI's public service announcement. The agency encouraged anyone who thinks an internet-connected toy might not be safe to file a complaint with the Internet Crime Complaint Center. (And if you think a toy is alive, you should probably lay off the "Toy Story," just to be on the safe side.)

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • shrapnel_indie
    .... but Chucky is alive... and not in a toy-story way.....

  • derekullo
    Little Sally I don't know how to say this but ...

    Your Barbie is an undercover spy for the KGB.

    Everything she told you was a lie.

    Her husband Ken is not even her real husband

    They were both assigned as a pair by Moscow to do surveillance of your father.

    This must be very hard for you to hear.
  • drwho1
    Parents should simply STOP buying expensive toys, specially toys that can put their children at risk.
  • why_wolf
    Simple don't buy any toy that is connected to the internet. Frankly you shouldn't buy anything that is IoT, they're almost as a rule universally terrible. Especially when it comes to security.
  • dstarr3
    I totally look forward to the day when I'll have to flash security updates on all of my kids' stuffed animals and toy cars. Seriously, just stay away from IoT.
  • Gillerer
    People aren't aware of the risks involving IoT devices.

    Even if you are, chances are the device doesn't get any updates you could "flash" on it. If it does get updates, they're only the minimum effort to make the device with faulty firmware work as advertized - no security improvements will be involved.