Internet-connected toys putting the privacy and safety of children at risk, warns ICO

The Information Commissioner's Office has warned that Internet-connected toys and other IoT devices that will be sold during the Christmas shopping season could put the privacy and safety of children at risk.

Data protection and privacy issues should be considered as important as personal safety of children while purchasing Internet-connected toys.

The Deputy Information Commissioner has, in a blog post, asked parents to consider privacy and data security concerns before purchasing Internet-connected toys for their children during the upcoming Christmas shopping season, starting with Black Friday.

Steve Wood said that the ICO is concerned about how secure Internet-connected toys are from malicious hackers, and that there are concerns relating to some IoT toys over what data is collected, by whom, where it is stored and how it is secured.

YOU MAY ALSO LIKE:

'You wouldn’t knowingly give a child a dangerous toy, so why risk buying them something that could be easily hacked into by strangers?,' he wrote.

'In the same way that safety standards are a primary consideration for shoppers buying toys, we want those buying connected items in the coming weeks to take a pause and think about both the child’s online safety, and also the potential threat to their own personal data such as bank details, if a toy, device or a supporting app is hacked into,' he added.

Wood said that before purchasing Internet-connected toys, parents must research the security of such products by visiting manufacturer websites and reading up on security update processes, privacy notices and policies and also to go through third-party reviews.

Parents are also being asked to familiarise themselves with the security and privacy options associated with such devices before gifting such toys to their children. This will help them understand existing security implications and will help them secure their personal data.

Since Internet-connected toys will require Internet connection at all times, parents must ensure that Wi-Fi routers are secured with strong passwords at all times, and that they must replace default device passwords with suitably strong passwords, preferably two-factor authentication, on the lines of existing password hygiene practices.

Other recommendations from the ICO include turning off web cameras in device settings if parents do not wish to view footage over the Internet, getting rid of default location tracking and GPS settings and replace them with strong, unique passwords, and disabling unencrypted Bluetooth connections.

Discussing best online safety practices with children and making them aware about security implications will also go a long way in securing personal data stored by Internet-connected devices in the future.

'The ICO and other stakeholders are also working with manufacturers, wholesalers and retailers through the Secure By Default project, which aims to encourage data protection considerations from the outset in product development and commercial purchasing decisions, providing better protection for consumers in future,' Wood added.

Back in Novermber, tests conducted by various security experts and mentioned in a report by consumer firm Which? revealed various security flaws in Bluetooth-enabled toys like the Furby Connect, I-Que Intelligent Robot, Toy-fi Teddy, and CloudPets.

The research found that the I-Que Intelligent Robot, which is being sold by Argos and Hamleys, uses Bluetooth to pair with a phone or tablet over an unsecured connection which can be exploited by anyone in the vicinity.

Similarly, Furby Connect, which is sold by Argos, Amazon, Toys R Us and Smyths, uses no security features while pairing with other Bluetooth devices, including laptops, thereby allowing anyone within its range to remotely communicate with a child.

A range of Bluetooth-enabled toys named CloudPets also feature serious security issues that allow malicious actors to hack them and make them play their own voice messages. A kitten version of CloudPets was previously hacked and made to order its own cat food from a nearby Amazon Echo, and a researcher was able to hack into the toy from outside the street.