The Federal Bureau of Investigation is warning that Internet-connected toys can present privacy and safety risks to both parents and children.

In a newly published advisory, the FBI said Internet-connected toys typically contain sensors, microphones, cameras, data storage components, speech recognition and GPS options that collect data, which then is typically sent and stored by the manufacturer or developer via a server or cloud service. The collected data, which can include voice recordings, toy web application passwords, home addresses, Wi-Fi information or sensitive personal data, can present a serious security risk, the Bureau warned.

While pointing out toys using encrypted communications are essential to mitigate the security risk, the FBI said that not all toys implement such features. Those using Bluetooth do not have authentication requirements when pairing with the mobile devices, posing a significant risk for unauthorized access.

The bureau added that another data risk involves the toy companies themselves. Because they collect “large amounts of additional data, such as voice messages, conversation recordings, past and real-time physical locations, Internet use history, and Internet addresses/IPs,” they themselves could be targets for hackers.

Instances of security issues with toys are already occurring. In February 2016, Internet-connected toys made by Fischer Price and hereO were found to have vulnerabilities that would allow a hacker to gain access to them easily. In February this year, data from Spiral Toys Inc., the company behind a product called CloudPets that allows children to send messages to their parents and vice versa, was found to have been exposed and downloaded by hackers. To put how serious that was in perspective, the data included exposed passwords, emails and more than 2 million private recorded messages between parents and their children, with the data subsequently used to issue ransom demands against parents.

The FBI recommends that parents check if there are any known security issues for any Internet-connected toy they are considering buying or they have already purchased; check the toy’s security measures such as Bluetooth authentication and encrypted data transmission; check to see if the company behind the toy issues firmware/software updates and if they do to make sure they install them; and finally research where data from the toy is stored and whether the company storing it has a good reputation for security.

Photo: maguisso/Flickr