According to the FBI statement, the Internet-connected toys usually contain sensors, microphones, cameras, data storage components, and other multimedia capabilities – including speech recognition and GPS options. These features could put the privacy and safety of children at risk due to a large amount of personal information that may be unwittingly disclosed. The collected information is transferred to the manufacturer’s server or cloud service. The data can contain passwords, home addresses, telephone numbers and other private details, which can be exposed if the security level is not sufficient.
The FBI also emphasized that Bluetooth-connected toys that do not have authentication requirements (such as PINs or passwords) when pairing with the mobile devices could pose a risk for unauthorized access to the toy and allow communications with a child user. It could also be possible for unauthorized users to remotely gain access to the toy if the security measures used for these connections are insufficient or the device is compromised.
The bureau advised consumers to examine toy company user agreement disclosures and privacy practices, determine where their family’s personal data is sent and stored, including if it’s sent to third-party services.
“Security safeguards for these toys can be overlooked in the rush to market them and to make them easy to use. Consumers should perform online research of these products for any known issues that have been identified by security researchers or in consumer reports,” said in the warning.
It should be recalled that in February, the German Federal Network Agency (Bundesnetzagentur), which oversees telecommunications, told parents to destroy a talking doll called Cayla manufactured by Genesis Toys because its smart technology can reveal personal data.