The Internet of Things is changing the way we live and work. From smart pacemakers to fitness tracking apps, from voice assistants to smart doorbells, technology is making our lives healthier, safer, more productive and more enjoyable. It also gives manufacturers the opportunity to bring flashy new toys to the market for our children.

The global smart toy market will see a double-digit growth rate of more than $24 billion by 2027. But when connectivity, data, and computers converge, privacy and security concerns arise. Cybersecurity firm ESET has provided information on what needs to be researched before entering the world of connected toys.

What are smart toys and the cyber risks of these toys?

Smart toys have been around for a number of years. As with any IoT device, the idea behind this toy is to use connectivity and device intelligence to provide more immersive, interactive and responsive experiences. For this, they may have features such as:

• Microphones and cameras that receive video and audio from the child
• Speakers and screens to send audio and video back to the child
• Bluetooth to connect the toy to a connected app
• Internet connection to home wifi modem

In the race to market, manufacturers may leave security behind, their products may contain software vulnerabilities or allow insecure passwords. They can store data and surreptitiously send it to third parties. In early 2019, a survey of seven smart toys found 20 notable problems, two as “high risk” and three as moderate risk. Among these problems:

• No encryption when creating and logging in an account, revealing usernames and passwords
• Weak password policy, meaning users can choose easy-to-guess credentials
• Pairing devices (ie with another toy or app) was usually done via bluetooth without the need for authentication. This allows anyone within range to connect to the toy; may lead him to stream abusive or offensive content and send manipulative messages to the child.
• In some cases (for example, children’s monitors) it turned out that a stranger simply had to buy a different device from the store in order to communicate with children who had the same toys in the area.
• Attackers could theoretically hijack a smart toy with voice capabilities to take over smart homes by sending voice commands to a voice-activated system (e.g., “Alexa, open the front door”).

How can the privacy and security risks of smart toys be eliminated?

ESET experts recommend the following when using smart toys that pose a certain level of security and privacy risks;

• Research thoroughly before purchase: Check for negative public criticism or investigation of the model’s security and privacy information.
• Secure your modem: This device is the center of your home internet and communicates with all internet connected devices in your home.
• Disable devices: To minimize risks, turn off the device when not in use.
• Get an idea about the toys: Also make sure that younger children use the toy under supervision.
• Check for updates: If the toy gets updates, make sure it’s on the latest hardware version.
• Choose the secure connection: Make sure that the devices use authentication when pairing via Bluetooth and use encrypted communication when communicating with the home modem.
• Find out where data is stored: Also find out what the company’s reputation for security is.
• When creating an account use strong and unique passwords.
• Minimize the amount of data you share: This way you run less risk if data is stolen and/or the company has a data breach.