As a parent, you do everything you can to keep your children safe. This year, extend that due diligence to internet-connected toys.

Some internet-connected children’s devices have recently been compromised. One such device, VTech’s Kid Connect app, experienced a data breach that exposed personal data belonging to 6.4 million children. Cloudpets, an internet-connected stuffed animal that allows family members to send voice messages to the toy, and children to reply, was also hacked, exposing private messages between family members. Although the company that made Cloudpets has gone out of business, Mozilla and the Electronic Frontier Foundation warned of other serious security risks related to Cloudpets still being used in homes, including hackers’ ability to intercept the toy’s Bluetooth signal and load malicious audio messages onto the toy.

“The collection of a child’s personal information combined with a toy’s ability to connect to the Internet or other devices raises concerns for privacy and physical safety,” according to the Federal Bureau of Investigation (FBI). “In addition, companies collect large amounts of additional data, such as voice messages, conversation recordings, past and real-time physical locations, Internet use history, and Internet addresses/IPs. The exposure of such information could create opportunities for child identity fraud. Additionally, the potential misuse of sensitive data such as GPS location information, visual identifiers from pictures or videos, and known interests to garner trust from a child could present exploitation risks.”

How to evaluate internet-connected gadgets

These types of risks are reasons to do your due diligence on connected devices, using these 10 practices for all internet-connected devices.

For connected toys specifically, follow these tips from the FBI:

  1. Check for any known reported security issues. Use online resources from sites that conduct cyber security research, consumer product reviews and child and consumer advocacy.
  2. Only connect and use toys in environments with trusted and secured Wi-Fi access.
  3. Research the toy’s security measures. Be sure it uses authentication when pairing the device with Bluetooth (via PIN code or password) and uses encryption when transmitting data.
  4. Choose toys that can receive firmware and/or software updates and security patches and keep the toys updated.
  5. Research where user data is stored – with the company, third party services, or both. Read disclosures and privacy policies and consider:
    • If the company is victimized by a cyber-attack possibly exposing your data, will the company notify you?
    • If vulnerabilities to the toy are discovered, will the company notify you?
    • Where is your data stored?
    • Who has access to your data?
    • If changes are made to the disclosure and privacy policies, will the company notify you?
    • Is the company contact information openly available for consumer questions or concerns?
  1. Closely monitor children’s activity with the toys (such as voice recordings) through the toy’s partner parent application.
  2. Make sure that the toy is turned off when not in use, particularly those toys with microphones and cameras.
  3. Use strong and unique login passwords when creating user accounts (e.g., lower and upper case letters, numbers and special characters).
  4. Provide only what is minimally required when inputting information for user accounts.

UL works with manufacturers of internet-connected toys to ensure their final product meets globally accepted criteria qualifying the device for children’s use, offering tests such as:

    • EMC testing to assess the ability of electronic devices to operate as intended when in proximity to other electronic devices.
    • Radio testing of the performance and functionality of a product that incorporates wireless technologies.
    • SAR testing to measure the electromagnetic energy absorbed by a body in proximity to wireless devices, intended to verify that a device doesn’t exceed a country’s established RF exposure limits.
    • Bluetooth Qualification satisfying requirements to use Bluetooth technology and the logo.
    • Over-the-Air Testing to predict real-world wireless device reliability and performance capabilities, required by many standards organization, carriers, vendors and regulatory bodies.

Always look for the UL Toy Safety Certification Mark

When purchasing any toy, look for the UL Toy Safety Certification Mark to show that a toy meets the U.S. government’s ASTM F963-17 Standard Consumer Safety Specifications for Toy Safety. This ASTM requirement encompasses tests for the suitability for use by children and includes tests of the mechanical components, chemical composition, flammability and other hazards (not related to cyber security).

While internet-connected toys can be loads of fun, it’s important to take extra precautions to keep your kids and their data secure.