Hackable Holidays: Dangers of toys that spy on kids

This is the first of WTOP’s consumer series Hackable Holidays, which explores privacy concerns associated with smart devices and how consumers can better protect themselves this holiday season.

WASHINGTON — Smart toys that connect to the internet are at the top of kids’ wish lists this year, but experts say the toys can be used to spy on them and expose children to predators.

“They have microphones. They have cameras. They have recording devices. They store the data in the cloud, which is fairly easily accessible with an email address and a password. It’s not a far jump really to understand the danger,” said Tracy Walraven with D.C.’s Department of Forensic Science Digital Evidence Unit.

The lab, which also processes digital forensic evidence for D.C. police, is one of the first to explore what Walraven calls the Wild West of the toy industry.

How they work

Because the toys, by and large, connect to Wi-Fi, Walraven said a secured home network is imperative to protect smart toys from being hacked. She suggested turning off the toy when it’s not in use and not connecting it to free, public or unsecured networks.

While securing the Wi-Fi connection that the toy uses to operate is part of the battle against hacks, Walraven said there is also a secondary platform where a child’s information could be vulnerable.

“All the data that this toy collects, it’s either stored on the toy itself or it’s stored within some sort of mobile device capacity. But most of it is stored on the cloud, which is why it has got to have internet access,” Walraven said.

Security vulnerabilities

The data the toy uploads to the cloud often includes recordings of a child’s interactions, including their answers to what Walraven said can be invasive questions.

“They’re asking about a child’s daily life. Where they go to school; what time they get picked up,” she said as examples. The toys collect identifying information which Walraven said could be used by a hacker to gain a child’s trust.

“What’s stopping someone with not-so-good intentions who lives next door to go to pick up the child and say, ‘Your mommy told me to come get you’,” she said.

Just a few years after the first connected toys debuted on toy shelves, major brands, such as Mattel and Fischer Price, are marketing their smart toys to children.

And many smart toys including Hello Barbie, Furby Connect, i-Que Intelligent Robot, Cloud Pets and Toy-Fi teddy, to name a few, interact with a child on topics that parents may find unsettling, Walraven said.

In the case of the Hello Barbie for example, a child’s answers are saved on the cloud and can be accessed through a portal parents sign into to hear and share their child’s interactions with the toy.

“These small MP3 files can be passed around easily, which when you put that into the hands of someone using this not to help the child, that poses a danger,” Walraven said.

Privacy concerns

A recent survey of 600 parents by the nonprofit found that when it comes to smart toys, their children’s privacy is their No. 1 concern.

“They’re concerned about data hacks. They’re concerned about outsiders hacking into these toys and talking to their children. Now, there have been preciously few of these incidents but there have been some, so they are right to look into it,” said Stephen Balkam, founder of the Family Online Safety Institute.

About one in every third toy either has some kind of connectivity or the toy has its own life online, Balkam said.

Limited research has been conducted on smart toys, and while digital labs are delving into what the Wi-Fi-enabled toys can do, consumer warnings abound.

In July, the FBI released a consumer alert to parents about connected toys, which can collect a child’s voice, physical location, internet use history, IP address — all of which are linked to a parent’s account.

The U.S. Public Interest Research Group named smart toy “My Friend, Cayla” doll to its unsafe toy list for 2017 citing its faulty Bluetooth, which could allow for the improper collection of data on children. The doll is already banned in Germany, and U.S. consumers have filed a complaint with the trade commission.

There are very few instances of children’s toys being hacked, but protections are needed with this technology, said Balkam.

“We talk about a culture of responsibility that goes all the way up to the government itself, which must come up with reasonable oversight and support … The [Federal Trade Commission] is obviously looking into this … but it’s going to fall increasingly on parents,” he said.

While the FTC oversees regulation of such technology, there is no requirement that manufacturers include warning labels that the devices could be hacked or that the toys could be used to spy on children.

However the Children’s Online Privacy Protection Act applies to websites and online services, including devices that connect to the “internet of things,” such as smart toys, and gives parents control over what information is collected from their children.


The FBI’s consumer notice suggests parents do the following before buying a smart toy:

  1. Research any known security issues with the toy.
  2. Only connect smart toys to trusted and secured Wi-Fi.
  3. Look into the toy’s internet and device connection security measures.
  4. Use authentication when pairing the device with Bluetooth, such as a pin or password.
  5. Stay up to date with any manufacturer security update or patches.
  6. Investigate where the user data is stored, with the company, a third party source or both.
Megan Cloherty

WTOP Investigative Reporter Megan Cloherty primarily covers breaking news, crime and courts.

Federal News Network Logo
Log in to your WTOP account for notifications and alerts customized for you.

Sign up