After the FBI issued a warning on internet-connected toys in July, researchers began digging into these devices to assess their functions as they relate to cybersecurity. But before describing what one of these toys can do, it might be helpful to explain how they work at a very high level.

Typical Components of Internet-Connected Toys

The first component of an internet-connected toy is the toy itself, which usually takes the form of a squeezable plush animal such as a dog, bear or pony. They also come as dolls, hard plastic dinosaurs, alien creatures and more. The electronic components, which are usually standardized across all Internet of Things (IoT) toys, typically include:

  • A speaker;
  • A wireless receiver and transmitter;
  • A long-life battery or battery conduit;
  • A recording device, such as a microphone wired to microchip; and
  • Cloud connection capability.

More sophisticated toys contain additional components such as:

  • Motion activators and sensors based on acoustics or specific frequency ranges;
  • Optics or cameras;
  • Bluetooth capability; and
  • Programmable memory to store recordings, songs, stories, etc.

Listen to the podcast series: 5 Indisputable facts about IOT security

The Mobile App and the Cloud Provider

The newer IoT toys on the market require a mobile application that parents can download from an app store. These apps are usually compatible with several different mobile device types. There is no indication that the apps used for these IoT toys are developed with security in mind. As a result, there is no way to guarantee that these apps are protected from bad software updates, malware, worms, Trojans and viruses. Additionally, the mobile app, if hijacked by cybercriminals, could corrupt the toy to which it is downloaded.

The mobile app is used by one party — usually the parent — to record a message or greeting for the child. This message is transmitted to an IoT cloud account tied to the mobile app, and then from the cloud account to the child’s toy.

Again, there is nothing in the design of most internet-connected toys that guarantees that the user’s data:

  • Is protected in the cloud;
  • Is not susceptible to eavesdropping in the cloud;
  • Will not be sold to the highest bidder on the black market if the cloud provider is compromised;
  • Will not be used to spy on individuals or entire families to glean personal details; or
  • Is not susceptible to tampering.

An Espionage Device in a Fluffy Package

Most internet-connect toys have some kind of indicator, such as eyes that light up, a face that moves to form a smile or a blinking heart light, that alerts the child to a message. The child can press the paw or squeeze the belly to hear the recorded message played back to them.

In addition to listening to simple messages and greetings, some IoT toys can read stories, play simple games and even maintain a steady internet connection to download new content such as children’s audio books. Several IoT toys allow children to record messages back to their parents or friends. This is where a cute pink dinosaur can become a Cold War-like espionage device in a fluffy, squeezable package.

The next-generation IoT toys coming out of the research and development phase and into the market are quite possibly the most sophisticated toys ever designed. A cybercriminal could easily hijack the basic model of an IoT toy to eavesdrop on everything a child is doing in his or her room and pick up distinct conversations occurring within the house, car, school or day care facility.

The most sophisticated IoT toys have augmented reality optics built into the eyes that can pick up on subsonic and ultrasonic broadcast frequencies and recognize voice patterns. These capabilities can be woven into the fabric of a pillowcase or blanket.

Red Flags for Internet-Connected Toys

Before purchasing an internet-connected toy for your child or children, do a lot of research and carefully scrutinize every manufacturer. Below is a list of red flags to look out for. If any one of these issues is present, the IoT toy, no matter how lovable and cute, should not be purchased:

  • The toy is sold only through a ubiquitous, nameless, faceless retailer — in other words, it is available only online.
  • The toy has no obvious, discernible supply chain that identifies who manufactured it or where it was manufactured.
  • The company manufacturing the toy does not have a physical address, return address or consumer complaint number.
  • Free shipping to military personnel is a major marketing tactic used to sell the product.
  • There is no telephone number, physical address, mailing address or customer service number for the seller of the toy or the mobile app required to use the toy.
  • The mobile app provider requires the user to sign up for the cloud service using his or her real first and last name and physical address.
  • The toy stays connected to the cloud even when it is off.
  • The toy is programmed to receive automatic updates or downloads.
  • The toy comes equipped with a long-range receiver and transmitter.
  • The cloud provider storing the data is never identified in the end-user license agreement (EULA).
  • Neither the toy nor the mobile app comes with an EULA.

Read the Fine Print

Finally, parents and purchasers of IoT toys should always read the EULA carefully — every single word of it. This agreement, which is usually legally binding, is supposed to demonstrate how the toy works, what it is capable of, the type of data it can collect, where this data stored, how it is processed and used, and how long it remains in memory or in the cloud. Do not skip the EULA simply because the fuzzy blue alien looks too cuddly to have a sinister purpose.

Listen to the podcast series: 5 Indisputable facts about IOT security

More from Cloud Security

Is Your Critical SaaS Data Secure?

4 min read - Increasingly sophisticated adversaries create a significant challenge as organizations increasingly use Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) to deliver applications and services. This mesh of cloud-based applications and services creates new complexities for security teams. But attackers need only one success, while defenders need to succeed 100% of the time. Organizations are contending with an exponential rise in advanced threats that are not only increasing in volume but also sophistication. The IBM Cost of Data Breach Report 2022 found…

4 min read

Rationalizing Your Hybrid Cloud Security Tools

3 min read - As cyber incidents rise and threat landscapes widen, more security tools have emerged to protect the hybrid cloud ecosystem. As a result, security leaders must rapidly assess their hybrid security tools to move toward a centralized toolset and optimize cost without compromising their security posture. Unfortunately, those same leaders face a variety of challenges. One of these challenges is that many security solutions create confusion and provide a false sense of security. Another is that multiple tools provide duplication coverage…

3 min read

New Generation of Phishing Hides Behind Trusted Services

4 min read - The days when email was the main vector for phishing attacks are long gone. Now, phishing attacks occur on SMS, voice, social media and messaging apps. They also hide behind trusted services like Azure and AWS. And with the expansion of cloud computing, even more Software-as-a-Service (SaaS) based phishing schemes are possible. Phishing tactics have evolved faster than ever, and the variety of attacks continues to grow. Security pros need to be aware. SaaS to SaaS Phishing Instead of building…

4 min read

The Importance of Modern-Day Data Security Platforms

4 min read - Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

4 min read