September 18, 2017 By Kelly Ryver 4 min read

After the FBI issued a warning on internet-connected toys in July, researchers began digging into these devices to assess their functions as they relate to cybersecurity. But before describing what one of these toys can do, it might be helpful to explain how they work at a very high level.

Typical Components of Internet-Connected Toys

The first component of an internet-connected toy is the toy itself, which usually takes the form of a squeezable plush animal such as a dog, bear or pony. They also come as dolls, hard plastic dinosaurs, alien creatures and more. The electronic components, which are usually standardized across all Internet of Things (IoT) toys, typically include:

  • A speaker;
  • A wireless receiver and transmitter;
  • A long-life battery or battery conduit;
  • A recording device, such as a microphone wired to microchip; and
  • Cloud connection capability.

More sophisticated toys contain additional components such as:

  • Motion activators and sensors based on acoustics or specific frequency ranges;
  • Optics or cameras;
  • Bluetooth capability; and
  • Programmable memory to store recordings, songs, stories, etc.

Listen to the podcast series: 5 Indisputable facts about IOT security

The Mobile App and the Cloud Provider

The newer IoT toys on the market require a mobile application that parents can download from an app store. These apps are usually compatible with several different mobile device types. There is no indication that the apps used for these IoT toys are developed with security in mind. As a result, there is no way to guarantee that these apps are protected from bad software updates, malware, worms, Trojans and viruses. Additionally, the mobile app, if hijacked by cybercriminals, could corrupt the toy to which it is downloaded.

The mobile app is used by one party — usually the parent — to record a message or greeting for the child. This message is transmitted to an IoT cloud account tied to the mobile app, and then from the cloud account to the child’s toy.

Again, there is nothing in the design of most internet-connected toys that guarantees that the user’s data:

  • Is protected in the cloud;
  • Is not susceptible to eavesdropping in the cloud;
  • Will not be sold to the highest bidder on the black market if the cloud provider is compromised;
  • Will not be used to spy on individuals or entire families to glean personal details; or
  • Is not susceptible to tampering.

An Espionage Device in a Fluffy Package

Most internet-connect toys have some kind of indicator, such as eyes that light up, a face that moves to form a smile or a blinking heart light, that alerts the child to a message. The child can press the paw or squeeze the belly to hear the recorded message played back to them.

In addition to listening to simple messages and greetings, some IoT toys can read stories, play simple games and even maintain a steady internet connection to download new content such as children’s audio books. Several IoT toys allow children to record messages back to their parents or friends. This is where a cute pink dinosaur can become a Cold War-like espionage device in a fluffy, squeezable package.

The next-generation IoT toys coming out of the research and development phase and into the market are quite possibly the most sophisticated toys ever designed. A cybercriminal could easily hijack the basic model of an IoT toy to eavesdrop on everything a child is doing in his or her room and pick up distinct conversations occurring within the house, car, school or day care facility.

The most sophisticated IoT toys have augmented reality optics built into the eyes that can pick up on subsonic and ultrasonic broadcast frequencies and recognize voice patterns. These capabilities can be woven into the fabric of a pillowcase or blanket.

Red Flags for Internet-Connected Toys

Before purchasing an internet-connected toy for your child or children, do a lot of research and carefully scrutinize every manufacturer. Below is a list of red flags to look out for. If any one of these issues is present, the IoT toy, no matter how lovable and cute, should not be purchased:

  • The toy is sold only through a ubiquitous, nameless, faceless retailer — in other words, it is available only online.
  • The toy has no obvious, discernible supply chain that identifies who manufactured it or where it was manufactured.
  • The company manufacturing the toy does not have a physical address, return address or consumer complaint number.
  • Free shipping to military personnel is a major marketing tactic used to sell the product.
  • There is no telephone number, physical address, mailing address or customer service number for the seller of the toy or the mobile app required to use the toy.
  • The mobile app provider requires the user to sign up for the cloud service using his or her real first and last name and physical address.
  • The toy stays connected to the cloud even when it is off.
  • The toy is programmed to receive automatic updates or downloads.
  • The toy comes equipped with a long-range receiver and transmitter.
  • The cloud provider storing the data is never identified in the end-user license agreement (EULA).
  • Neither the toy nor the mobile app comes with an EULA.

Read the Fine Print

Finally, parents and purchasers of IoT toys should always read the EULA carefully — every single word of it. This agreement, which is usually legally binding, is supposed to demonstrate how the toy works, what it is capable of, the type of data it can collect, where this data stored, how it is processed and used, and how long it remains in memory or in the cloud. Do not skip the EULA simply because the fuzzy blue alien looks too cuddly to have a sinister purpose.

Listen to the podcast series: 5 Indisputable facts about IOT security

More from Cloud Security

The compelling need for cloud-native data protection

4 min read - Cloud environments were frequent targets for cyber attackers in 2023. Eighty-two percent of breaches that involved data stored in the cloud were in public, private or multi-cloud environments. Attackers gained the most access to multi-cloud environments, with 39% of breaches spanning multi-cloud environments because of the more complicated security issues. The cost of these cloud breaches totaled $4.75 million, higher than the average cost of $4.45 million for all data breaches.The reason for this high cost is not only the…

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Best practices for cloud configuration security

5 min read - Cloud computing has become an integral part of IT infrastructure for businesses of all sizes, providing on-demand access to a wide range of services and resources. The evolution of cloud computing has been driven by the need for more efficient, scalable and cost-effective ways to deliver computing resources.Cloud computing enables on-demand access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) over the internet. Instead of owning and maintaining physical hardware and infrastructure, users…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today