Blog: Android

Why buying a smart toy for a child might be the craziest thing you could do

Joe Bursell 10 Dec 2015

There are 15 days until Christmas so there’s still plenty of time to be rummaging around looking for presents and having them delivered. Enough time to actually think about what you’re buying for your nearest and dearest, I’ll still fail at some point though and end up sending the hollowest of gifts: vouchers.

What I won’t be doing, now or possibly ever, is buying anyone important to me a “smart” toy.

Smart toy consumer advice

The main reason I dislike smart toys is that as a general rule of thumb their security is terrible. While manufacturers speak of the play benefits of tablets and talking dolls, in our experience they have a great deal to learn about how to protect your child’s safety and privacy. You would think that a toy marketed as ‘kid safe’ or ‘safe and secure’ would have security nailed. In most cases, it seems not!

If you’re thinking of giving a smart toy at Christmas, or any other time of year, here’s some advice that may be helpful to you in making the right choices.

Think about the data

A defining feature of smart toys is that they are usually connected to the internet via an app or Wi-Fi. This means that there is information flowing between the toy, smartphone/tablet and the manufacturer. In itself this isn’t a worry, smart toys harvest data in order to function, it’s what makes them “smart”.

What is a worry is how that data is handled. Does it use a secure channel? Is it encrypted? Are the manufacturer’s systems where your child’s data is stored robust enough to withstand being hacked? Here’s a three word answer: VTech database breach.

The manufacturers of the InnoTab Max kids tablet insufficiently protected themselves, which allowed hackers to access and steal data which was gathered from tablets via their app. While they said that no credit card or banking information was compromised they couldn’t say the same for 6.4 million children’s names, genders, and dates of birth, as well as postal and email addresses. According to the BBC there is evidence that photographs and chat session logs were also compromised.

Unlike your credit card and banking details, you can’t change your kid’s personal information once that’s in the public domain.

Whilst many manufacturers have provided assurance that they won’t use data collected from children for marketing purposes, that care doesn’t apply to the hacker that has stolen the data! Still, the potential for manufacturers to send carefully worded messages direct to children through their toys must be very tempting.

For example, when My Friend Cayla is asked ‘What is Toys R Us’ she says:
“Toys R Us shops are really big and all they sell is toys and fun things…”

A bit creepy, don’t you think?

Think about the device/toy

In the last year alone we have conducted research on dozens of tablets and many smart dolls and toys. Without exception every single one showed security flaws to some degree. Some were so bad that a hacker could hijack the toy and communicate directly with a child whilst playing. The hacker could snoop on conversations in the house using the toy, or even worse, talk to your child through the toy.

What can you do?

If you want your children to play safely the internet generally isn’t the ideal playground, however there are some tips that will minimise risk:

  • Talking/listening dolls/bears etc. are plain creepy. Given that a hacker may be able subvert them to communicate directly with your child you should steer clear. This
    recent piece of news makes that point perfectly.
  • Don’t buy child-specific tablets. They are cheap for a reason. Security often costs a little extra.
  • If you do want to give a child a tablet as a gift, get a recent model from a known brand and keep the software up to date. Set and use parental control features.

Up to date Android and Apple tablets are pretty secure, particularly if you spend a few minutes setting them up securely. There’s plenty of good advice about that online.