Internet of Toys

Internet of Toys

How do parents usually pick presents for their kids? Surely, they look for the most vibrant, beautiful, and engaging toys (preferably educational). No wonder they many choose connected gadgets, including child PCs, camera-enabled dolls, RC robots, drones, or toy cars. When doing their pre-purchase research, they do mind whether the toy is robust enough, which materials it is made of, whether it has sharp edges and look at other physical parameters. What they don’t even think of is cybersecurity. Well, it’s time they do.

What can be dangerous about toys?

The thing is, parents are not the only ones who frequently don’t care about cybersecurity — some toy manufacturers themselves neglect it. Any connected gadget is, in essence, a mini-PC relying on some sort of software. Hackers do not sit idle, and always try to find vulnerabilities which would help them compromise the toy’s security and turn it into a surveillance camera or a tool for evil jokes. There are, as well, concerns on how vendors process and store user data in their cloud services. Inevitably, most connected toys send some information, including but not limited to photos, video footage and search history to their vendors’ servers. Also, many toys require to create an online user account where parents deliberately put their real names, postal addresses and other vital personal data.


Some parents would predictably say: who on Earth may be interested in hacking toys? What’s the fuss about surveillance if we have nothing to hide? Frankly, we don’t always have answers. For example, we cannot explain why a random person hacked a baby monitor, spied on a child, and scared him at nights. Well, it doesn’t matter why. The fact is that he did scare a three-year-old boy. The motivation behind spying via webcam is more or less explainable: the toy can record videos of whatever in happening in your home. Your webcam-enabled teddy bear could turn into a perfect informant for burglars.

Scale of the problem

If you still don’t realize the scale of the problem, let’s refer to some recent news. We’ll start with VTech, a toymaker producing an array of connected gadgets for children. Last November an anonymous hacker found out that the data generated by gadgets is sent to the company’s servers in plaintext and managed to obtain access to those servers. As a result, he was able to download over 190GB of photos, scripts of conversations between parents and their children, voice records and user credentials. It’s unclear what he did with that information, but he did send a part of it to the reporters, clearly shocked by how effortless his hack was. Researchers say that the vulnerability he exploited still remains unpatched. However, Vtech edited their current user agreement, adding a passage stating that any personal data shared with Vtech via the software or the vendor’s website can be intercepted by a third party.


Around the same time, security pundits laid their eyes on the brand new Hello Barbie — Mattel’s interactive doll which listens to a child and answers them, just as Apple’s Siri would. It turned out, a skilled hacker could easily get root access to the smart doll, steal user credentials, voice records and even hijack the built-in microphone.

Then experts tested another smart toy, Smart Toy Bear by Fisher Price. The app happened to have several critical security holes which enabled a hacker to learn the child’s name, birth date and other personal data. The vendor was quick enough to fix the problem, but the very fact that such vulnerabilities exist prove that toymakers are not experienced enough to ensure their products are secure.

Action plan

By no means are we telling users to say no to connected educational toys. Quite the opposite: we totally support the use of technologies in kids’ education. However, we recommend to follow these recommendations:

  • When buying a connected toy, check what kind of data it shares with the toymaker. Obviously, a doll or an RC car needn’t share your GPS location, videocam records and other private data.
  • Find out how the data will be used. If it is simply stored on the company’s servers so you can remotely access it or is used for the toy’s ‘self-learning’ purposes, it’s one story. But in many cases, a user agreement states the data can be shared with some ‘third parties’ in order to ‘improve’ the technology. That doesn’t mean those third parties are untrustworthy, yet the more people have access to your private data, the higher the likelihood of it being breached or compromised.
  • When registering an account in an online service, don’t share you kid’s real data. In the best-case scenario, it might be used for target advertising, while in the worst-case scenario it might end up in the hackers’ hands.
  • It is wise to fill only ‘required’ fields in the registration form.

And, most importantly, before buying any smart toy, do a small web research and find out more about the toy in question, especially in connection with data breaches and other related security incidents. In case the toy was involved into any security incident, it’s worth checking how the company dealt with that.  Vulnerabilities are a common phenomenon in the software world, regardless of the company’s size. However, if a vendor takes security issues seriously, the vulnerabilities are patched promptly.