Should We Be Concerned About Our Children With IoT?

Philip Piletic
IoT Security, Smart Home
Illustration: © IoT For All

Would you ever put something potentially dangerous near your newborn baby? Don’t be so quick to say no. Technology company insiders have found ways to install networking adapters in everything from teddy bears to baby monitors, so there’s a good chance that you already have a device in your home that’s got the potential of putting your children’s information in harm’s way.

While microphones and cameras were incorporated into children’s toys for years, the latest generation of connected gadgets includes facial recognition technology and GPS tracking. The fact that these toys are collecting information isn’t necessarily the problem. Rather, it’s what that data could be used for that’s starting to make some parents have doubts about some of the gifts they’ve been giving to their kids.

There’s no doubt that some manufacturers have put this kind of technology to good use. Developers have put several toys on the market that help future students master STEM-related material and get a solid grasp of tech topics in a fun way. Nevertheless, privacy advocates have begun to raise red flags about the safety of IoT toys for children and how some cybercriminals could misuse some of the data they collect about the children who use them.

If any of this data is being sent over the air without proper encryption protocols, then it could very well be used as part of an identity theft scam in the near future.

Toys that Harbor Secret Dangers

Several dolls currently on the market encourage children to have make-believe conversations with them. Over time, these dolls will record portions of the conversations in the hopes of becoming more responsive later on. Children may tell a doll their name, the school they attend, and parts of their routines. While the embedded software that powers these toys is not particularly sophisticated and normally poses no real threat, they generally transmit information to a nearby personal computer or a remote server for processing.

End-to-end encryption isn’t common in these kinds of data links, which leaves this information sent in a format equivalent to plaintext. As a result, these toys are remarkably susceptible to machine-in-the-middle attacks. Some security advisors are suggesting that parents only ever purchase smart toys that support secure Wi-Fi access protocols. This can help reduce the risk that data could leak over a network, though it still doesn’t solve inherently insecure features such as those that rely on Bluetooth.

Ironically, products that aren’t directly marketed towards children may actually be more secure than those. If someone bought a child a doll that uses Bluetooth connectivity to share information with a set of other similar smart toys, then there’s a risk that sensitive information could be leaked to outside snoops. A commercial-grade Bluetooth speaker provides a similar degree of functionality, but since it’s just being used to stream music or podcasts, there’s no danger if someone happened to listen in. Some children may even appreciate receiving these kinds of gadgets as gifts much more than if they had some technology-enabled toy.

Nevertheless, smart toys have become popular enough that federal regulators are starting to take notice.

Regulating the IoT Toy Industry

Regulators have been trying to push for warning labels that would explain to parents how their children’s data is being used. Currently, efforts have only met with mixed success, however. According to one investigative report, 28 percent of IoT toy manufacturers don’t actually say whether they use encryption to protect data. Toys from many of the most popular brands do state on their boxes that they offer some data encryption, but they’re still plagued by issues related to the device pairing process.

Smart toys seldom check to see if they’re connected to a legitimate source. This latent lack of authentication could potentially lead to a variety of attacks. In a worst-case scenario, forgotten about IoT toys may remain connected to a network long after they’re neglected and end up becoming parts of botnets. While it’s doubtful that these toys employ popular general-purpose operating systems as part of their embedded architectures, they’re likely to become attractive targets simply because users wouldn’t suspect there was anything wrong with a network-connected plaything.

Regulators from the Federal Trade Commission first took action against this kind of problem on June 21, 2017. They updated their COPPA guidelines and insisted that companies include built-in protections in all toys that feature the ability to connect them to the Internet. These guidelines now include any toy capable of running mobile apps or reporting its location over GPS.

Federal lawmakers have also addressed issues raised by toys that employ VoIP technology. The changes came after a demonstration that shook many computer industry specialists to their core. A little over a month before the FTC changed their rules, an 11-year-old boy by the name of Reuben Paul demonstrated how Bluetooth-enabled devices could be misused to take control of a teddy bear with an IoT sensor embedded in its belly. The sixth-grader from Texas could get the toy to execute arbitrary code simply by syncing up with it.

Despite these concerns, it’s obvious that consumers are demanding these kinds of toys in droves. Fortunately, parents can do several things to protect themselves from many of the dangers of IoT-enabled playthings.

Protecting Yourself from Inadvertent Data Leaks

Engineers are working at a feverish pace to reduce the complexity of connected devices, which will certainly help to eliminate some of these security concerns in time. Modern cellular IoT technology is considerably more secure than ad-hoc networks created on a temporary basis to connect toys to a home Wi-Fi adapter. However, it’s not reasonable to expect parents to rush out and buy new toys as soon as they’re available.

Some of these devices could potentially ship with zero-day exploits anyway. Take a look at what kind of in-place security measures come with a particular toy. Voice recorders, facial recognition, and other data collection systems should all feature some encryption. The safest systems will have security algorithms in place to protect each of these features. These are all but required on IoT-enabled child tracker systems, and it’s likely that they soon will be on many devices geared toward a younger audience.

Always read the privacy policy before you activate a toy since it should contain information about how the information will be secured. Perhaps most important, though, is the issue of updates.

IoT technicians are hard at work patching vulnerabilities around the clock. However, these patches won’t mean anything if they’re not installed regularly. If your device requires you to update it manually, then make sure that you install patches as soon as possible. Since children can’t normally be expected to install hotfixes on system firmware, an increasingly large percentage of toy manufacturers are installing these automatically.

Children might not understand why they can’t play with a particular toy while it’s updating, so it’s important to explain this to them. This could actually be a golden opportunity to teach youngsters about the importance of password hygiene and network security in a fun and relevant way. You may even want to come up with a fun nickname together, in part because you don’t want to fill in personal account details with too much information.

Reducing a Child’s Online Footprint

While providing your child’s full name and date of birth could lead to a better experience with a toy, it can also prove attractive to data thieves. While IoT connected toys shouldn’t be shied away simply because they incorporate sophisticated networking technology, care should be taken to keep them secure.

Children who learn a little more about cybersecurity issues from their experiences with a shiny new gadget might very well help them as they get older and grow up as true digital natives.

Philip Piletic
Philip Piletic
Editor of Love marketing & tech.
Editor of Love marketing & tech.