Growing up in the 90s, the hottest toys of the decades featured hits like Skip-its, Hot Wheels, Barbies, and Tamagotchis. Today, however, children are playing with smart toys in a way their parents only dreamed of.

Smart toys – not to be confused with education toys – are playthings fitted with electronics such as microprocessors and micro-controllers. These are built in to create an interactive experience between a kid and their toy.

As the fallibility of the Internet of Things has taught us, any network is hackable. Take Facebook and Under Armour as examples. So if big-name corporations are on the chopping block for massive cybersecurity breaches, what chance does a talking doll have in comparison?

Granted, hacking a toy doesn’t hold the same weight as hacking a network which hosts tens of millions of users. It’s hardly a bragging right but it does hold criminal promise. Let’s consider the possibilities.

The Internet of Smart Toys

For a smart toy to live up to its ‘smart’ label, it’s typically equipped with sensors, microphones, cameras, data storage capabilities, speech recognition, and GPS options. Whatever data is recorded – recordings, images, addresses, web password, WiFi details – is then curated in the toy manufacturer’s database.

Clearly, this raises a number of privacy and security risks including exploitation and identity theft. Ideally, the data is kept in a closed database within each individual toy but, several cases in the past few years have shown otherwise.

Back in 2017, Internet-connected soft toys called CloudPets were revealed to have overlooked a very important part of security – password-protecting their data. This massive error led to over 820,000 records being compromised. These contained Personally Identifying Information such as the names and ages of children, as well as saved voice recordings shared through the toy between parents and children.

The same was the case with another toy manufacturer, VTech, where close to five million customer accounts where hacked. The hacker accessed a wealth of sensitive PII data which included addresses, family photos and chat histories.

There is no evidence of individual hacking cases where a child has been specifically targeted online or IRL. The potential threat, though, is real enough for the FBI to issue a Public Service Announcement regarding it. In another case, German authorities banned Bluetooth-connected toy, My Friend Cayla, due to its unsecured connection and the possibility of being used as a spying apparatus by hackers.

At the end of the day, smart toys aren’t just toys, they are poorly-guarded PII-carrying devices dressed up as playthings.

And while there are no reports yet of this happening, a child being tricked by its “toy” into opening up the front door, or any other vulnerable position, is a frightening scenario.

Play it safe

Adults have been pushed into a new digital frontier where technology married into a field which was previously regarded as simple as identifying an engaging toy. Now, they’re asked of a lot more thought and consideration than previously before.

There are two things to keep in mind when purchasing a smart toy:

Do your research: find out what’s being said about the toy you’re interested in purchasing and its manufacturer. What are the companies policies and methods regarding data collection and curation? Perhaps it’s time to finally read the Terms and Conditions. Don’t be surprised to find your data is being shared with mysterious third parties.

Educate: sit your kid down and explain to them the concept of stranger danger in this digital world.

In the end, when it comes to introducing smart toys into your child’s routine, the question you have to ask yourself is what information do you want out there?

  • Armed with a journalism degree and a passion for reading, Sana is on a mission to find her voice, gives Would You Rather? questions a little too much thought and is a recovering procrastinator.