Security Experts:

Connect with us

Hi, what are you looking for?



The Connected Toy Conundrum Is Beginning to Boil

The prediction business is a tricky thing. You can be right, but until you are proven right, you’re either early or wrong. Being early feels just like being wrong—up until the moment you are right.

The prediction business is a tricky thing. You can be right, but until you are proven right, you’re either early or wrong. Being early feels just like being wrong—up until the moment you are right.

When toymaker VTech announced in November 2015 that nearly five million customer records had been leaked (including pictures of and data about children), I predicted that the breach would be a tipping point for security and privacy issues with connected toys. My thesis was based on the notion that nothing stirs the emotions faster than concerns over the privacy and safety of children.  

My prediction didn’t get any traction. Just as I was beginning to embrace the notion that I was wrong, a string of recent events may prove that I was just early.

Smart toy security troubles are on the rise

In mid-February, it was reported that Germany’s Federal Network Agency issued a warning to parents about the “My Friend Cayla” doll. The agency, which oversees telecommunications in Germany, advised parents to destroy the doll because it collects and transmits conversations with children.

The data in the conversations were being parsed by speech recognition software that can turn dialogue into searchable queries. While the agency based their warning on the doll being a “concealed transmitting device” that ran afoul of the law, there was also much concern over regulations protecting the privacy and security of children. Agencies from multiple countries, including the United States’ FTC, expressed concerns over these privacy and security issues.

In early March, it was reported that toymaker Spiral Toys had been hacked, exposing data from over 800,000 users. The data contained personalized voice messages, pictures, and other data collected via Internet-connected teddy bears and the associated smartphone apps. Researchers reported that the data was stored on a database that was unprotected and not behind a firewall. The same researchers believe the data was held for ransom before being exposed by multiple sources.

As a parent, I find these breaches of privacy and security reprehensible. As someone in the software security space, I find these breaches to be inevitable, yet easily preventable. As a citizen of the world, I view this as a continued warning about the dangers of IoT and connected everything.

Securing smart devices goes beyond toy manufacturers

As I have said repeatedly, the term “connected device” should immediately provoke questions such as “to what?”, “for what purpose?”, and “with what level of protection for the data?”

I do not believe that there is malicious intent on the part of the toy manufacturers. They are looking for an angle to sell toys, and IoT and connected devices are hot topics. They are also financially motivated to hold down production costs for profitability. Having a connected toy adds new cost items such as building the associated app and building the infrastructure (including data storage) to store the collected data. All their key business drivers (e.g., time to market and profitability) are diametrically opposed to notions of building security into the process.

Take note that this is not a set of issues unique to connected toys. Multiple stories came out in February on the analysis of the end user license agreements for smart televisions. Manufacturers are now warning us not to discuss sensitive subjects in front of our televisions as the conversation will be recorded and stored! This includes the voices of children in our homes.

On a personal note, I am in the market for a new home thermostat. Buying a smart thermostat causes me to pause because I know they listen constantly—just like a smart TV or your new Alexa. Fortunately, I also know several manufacturers of smart thermostats are treating the security issues seriously.

It’s time to take IoT security and privacy seriously

Privacy is an ephemeral subject, particularly in the United States. Other countries take a much more pronounced interest in privacy, where I believe Americans have become numb to the subject after selling our privacy souls for free cell phones. However, the basic, immutable law is simple and must be recognized by consumers: If something is IoT or connected it collects data and that data goes somewhere and is stored. While seemingly benign, that data may combine sensitive information—which can be stolen.

Add children to the mix and the focus suddenly shifts. The light shed on the problems swiftly burns much brighter. There have been no reports of children receiving inappropriate messages or other misuses of the leaked data…yet. However, the upsetting fact is that these children have been put at risk. When a child is compromised by such a leak, the heat will go up exponentially.

My previous, bold prediction was that parents will begin to demand that connected toys demonstrate the basic concepts of data privacy and security as awareness of the problem reaches critical mass. Enlightened toy manufacturers will begin to embrace the basic concepts of security and build connected toys that can be trusted by parents. They may in fact begin to use proof of security measures as a differentiator in the market. I would not be surprised to see some form of seal or certification emerge to visibly demonstrate to consumers the security awareness of the product.

The tipping point may have just arrived. On March 6, Consumer Reports announced that they are “launching the first phase of a collaborative effort to create a new standard that safeguards consumers’ security and privacy”. Consumer Reports hopes to push a new open-source standard that addresses privacy and security concerns for connected consumer devices.

I wait patiently to discover if I was early or wrong on my prediction. At the rate that these breaches are surfacing, I feel better about my chances of being early. But this time I won’t feel great about being right.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet