We analyzed privacy and security practices of a selected set of smart toys.
A full list of toys can be found here.
You can download the full report examining the toys’ privacy practices here. A second report that experimentally evaluates toys’ privacy and security practices will be made available shortly.
For any questions, contact m.mannan[at]concordia.ca.
Some factors to consider when buying a smart toy are:
What information does this toy collect? Does it collect privacy-sensitive information, like videos, pictures, or audio?
Has this toy or toy company ever been involved in a data breach? If so, did they respond swiftly and responsibly and appear to take security seriously?
What data does the toy collect and share with third parties?
Is the toy firmware and/or companion app regularly updated?
Does the toy adhere to established standards or certifications governing technology for children, like the kidSAFE Seal program?
Our studies found three main categories of risk. These are:
Data leakage: Some of the toys gather pictures, videos, and audio recordings of the child. This type of sensitive information should be securely stored and transmitted so it doesn’t fall into the hands of unauthorized people.
Online tracking: All of the companion apps we examined send behavioral information regarding the child’s usage of the toy to one or more third parties. This, together with information about the smartphone, can be used to infer demographic information about the child and target them for advertising. Some toys sent more identifying information and were able to serve targeted ads on another computer.
Physical risk: Some toys expose the child to physical risk, whether through tracking the child through physical space using the toy’s Bluetooth identifier or allowing an unauthorized person to control the toy to lure the child.
Wherever possible, we recommend to:
Disable internet access on the toy or the companion app smartphone if doing so doesn’t interfere with operation of the toy.
Always use strong passwords if asked to create an account.
Don’t leave the toy unattended if it stores sensitive data, and make sure to factory reset it when transitioning to a new owner.
Some of the toy makers have responded positively, while others have either not responded at all or dismissed our findings as “unsolicited”. More details can be found in our report (available online soon).
Adhere to established standards like kidSAFE Seal.
Ensure there is a mechanism in place to push signed firmware updates to the toy and update the companion app as needed to patch flaws.
Protect private information.
Establish a mechanism for reporting vulnerabilities.
Only collect persistent identifiers (for instance, the smartphone IMEI) and Personally Identifiable Information (PII) if they are essential for the toy’s proper functionality.
Use third party analytics libraries sparingly. Many analytics SDK Terms of Service prohibit their use in apps for children, or otherwise restrict the types of data that can be collected, and all such restrictions should be respected. Do not transmit any persistent identifiers or Personally Identifiable Information to third party services.
Make sure all communication is encrypted, both over local networks and the internet. If using Bluetooth between the toy and the companion app, use the strongest Bluetooth security mode supported. Any communication to cloud servers should use the latest available version of TLS, strong ciphersuites, and valid server certificates. Client apps should use certificate pinning where possible, and TLS server parameters checked using tools like Qualys SSL labs.
Ensure that session cookies have a short expiry and use the “secure” and “httponly” flags.
Secure cloud-based storage using best practices, for instance as outlined in the NIST Guide to General Server Security.
We recommend establishing a formal mechanism for reporting vulnerabilities. This can be as simple as a dedicated form or contact information listed on the official web site, or participating in bug bounty programs like HackerOne or Bugcrowd.