Merry Christmas -The Internet of Insecure Toys

Are the toys you are buying for your kids hackable?Can anyone listen in or have a conversation with your kids via an Internet connected toy?  Sorry, but the answer is “yes.”

We have been writing for a while about the grievous lack of security on Internet-connected “smart” appliances, web cameras, baby monitors, door locks, thermostats, personal assistants, Wi-Fi, Cable, and DSL routers, and other devices.  This lack of security extends to children’s toys as well.

Due to the lack of security and privacy standards for children’s toys, and the usual rush to market by toy manufacturers who are motivated more by profit and any concern over security, a recent study uncovered a number of Internet -connected toys with serious security issues.  These include:

  • Kid’s conversations being collected by the device and store in the cloud.
  • The absence of encryption on the data stored by these devices.
  • Bluetooth and Wi-Fi flaws that would allow an outsider to connect to certain toys.

Toys included in this report as insecure included:

  • Furby Connect
  • i-Que Intellegent Robot
  • Toy-Fi Teddy
  • CloudPets

Some toy makers are being sued by the United States for  violating COPPA (the Childrens’ Online Privacy Protection Act of 1998) for failing to disclose to parents’ that their kids conversations and personal data collected by the toys are being stored on servers and sold to third-party marketing companies.  You may want to give a second thought to purchasing that cool new connected toy for Christmas.  How a bout a nice collection of Legos instead?

More information


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.