Merry Christmas -The Internet of Insecure Toys

Are the toys you are buying for your kids hackable?Can anyone listen in or have a conversation with your kids via an Internet connected toy?  Sorry, but the answer is “yes.”

We have been writing for a while about the grievous lack of security on Internet-connected “smart” appliances, web cameras, baby monitors, door locks, thermostats, personal assistants, Wi-Fi, Cable, and DSL routers, and other devices.  This lack of security extends to children’s toys as well.

Due to the lack of security and privacy standards for children’s toys, and the usual rush to market by toy manufacturers who are motivated more by profit and any concern over security, a recent study uncovered a number of Internet -connected toys with serious security issues.  These include:

  • Kid’s conversations being collected by the device and store in the cloud.
  • The absence of encryption on the data stored by these devices.
  • Bluetooth and Wi-Fi flaws that would allow an outsider to connect to certain toys.

Toys included in this report as insecure included:

  • Furby Connect
  • i-Que Intellegent Robot
  • Toy-Fi Teddy
  • CloudPets

Some toy makers are being sued by the United States for  violating COPPA (the Childrens’ Online Privacy Protection Act of 1998) for failing to disclose to parents’ that their kids conversations and personal data collected by the toys are being stored on servers and sold to third-party marketing companies.  You may want to give a second thought to purchasing that cool new connected toy for Christmas.  How a bout a nice collection of Legos instead?

More information


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.