Are web-enabled toys safe?

Today, more and more toys are connected to the internet, from smart dolls to radio-controlled cars and learning games. These toys, games and apps end up in the hands of young children who are quickly getting used to playing with sensors, cameras and microphones. This is a natural extension of long-existing electronic toys, and it is probably best explained through the evolution of the famous Barbie doll.

First launched in the US in March 1959, Barbie went through many changes to her appearance, clothes and accessories, eventually becoming a cultural icon (controversies included). Today, “Hello Barbie” is a sophisticated toy able to have a live conversation using voice recognition technology, to connect to the internet and store its data via cloud technology. But when a doll can actually speak through a child’s imagination or give correct answers thanks to an algorithm, we are facing a much bigger issue.

High-tech companies are investing heavily in net-connected toys: they can profile children’s behaviour and collect a variety of data about their use, such as daily, weekly or monthly stats and most preferred actions. While this data allows companies to create toys more in line with children’s needs and enjoyment, it also fuels R&D projects aimed at further improving algorithms and interactive functions.

Parents are still divided on the consequences of these advancements, but some companies promise them a better experience, particularly when it comes to educating their children. And some toys already provide parental control options, including game monitoring, feature blocking and a general analytics system.

However, there are reasons for both parents and companies to be concerned. Electronic toy-maker VTech admitted to a breach by an “ethical hacker” that hit 6.3 million children, stealing their names, home addresses, pictures and chat logs. So far no data has been publicly disclosed, but the attacker warned the Hong Kong toy-maker to quickly fix its security flaws.

Also, while privacy advocates already warned that Hello Barbie could pose risks (recordings are sent over the internet and stored in the cloud), security researchers have exposed several flaws that could have allowed hackers to spy on children’s conversations with the doll. And this new report comes on the heels of similar but separate independent findings on how hackers could exploit Hello Barbie.

These development can’t be ignored: For toy companies to successfully embrace the “internet of toys”, they must deploy any necessary security standard, such as system assessments, penetration tests, cryptography and transparent policies. Parents also have a crucial role to play: it is up to them to make sure these toys protect their children’s privacy and personal data – well beyond “old-fashioned” basic safety features.

It would perhaps be useful for toy manufacturers and the authorities to get together and share best practices to define privacy and security standards that are satisfactory and ethical for all. It will almost certainly take some time to properly sort out this new technological challenge, and for many it could entail a broader reconsideration about Christmas gifts. Should we be giving our children a smart doll or a superhero connected to the internet, or would we be better waiting for more secure and safe cyber-toys?

Author: Andrea Stroppa writes about security and technology for the World Economic Forum.

Image: A girl looks at Barbie dolls during a Barbie exhibition in Zagreb May 15, 2012. REUTERS/Antonio Bronic