Children’s toys have joined the ranks of connected devices entering American homes. Channel 2 consumer advisor Clark Howard said parents need to know how they work to protect their kids’ privacy.
Howard said understanding how these devices can be connected, and what data they collect is key.
In recent months the My Friend Cayla doll, made by Genesis Toys, has garnered a lot of attention. Not only for what she hears, but for what she allows others to hear as well.
The doll connects via Bluetooth to whatever device the child is using. That connection is what caught the interest of ethical hacker, Ken Munro of Pentest Partners in England.
“There is no security over that Bluetooth connection,” Munro explained. “I can drive past your house and I can connect any Bluetooth device to this doll…it's really quite creepy.”
Pentest discovered the vulnerability two years ago.
A Channel 2 investigative producer bought one of the dolls on Amazon to test the doll’s security features. With the help of Core Security threat researcher, Willis McDonald, the doll was easily compromised.
“Doesn't take any special skills, if you can hook up a Bluetooth headset, you can hook up to the doll,” McDonald said. “I was a little bit surprised that there wasn't any sort of PIN or any sort of authentication that you have to do to connect to the doll.”
Once connected anyone can listen, record and speak to the child through the doll. It’s that easy.
For a demonstration, Willis spoke to his kids through the doll from another room. Clark was able to connect from a phone from more than 70 feet away.
Munro doesn’t think people take toy security as seriously as they should.
“What bothers me is we're expecting parents to become computer security experts and that's not realistic,” Munro said.
Last December, the Electronic Privacy Information Center in Washington D.C. filed a complaint with the Federal Trade Commission against Genesis Toys. The complaint cited how easy it was for devices to connect to the doll, but also that recordings from the doll’s companion app were sent to Nuance communications, a third party software company, without making it clear to parents up front.
Privacy expert, Peter Swire, at the Scheller College of Business at Georgia Tech, says the Children’s Online Privacy Protection Act, or COPPA, is very specific regarding how parents should be notified about what information is collected about their child, and who that information is being sent to.
“The parent has to actually know what is going on and then say, ‘Yes I agree,’” Swire explained. “The box cannot already be checked. It cannot be just hidden somewhere in the terms of service. It's supposed to be a moment where the parent realizes what’s going on and says, ‘Yes, ok. I'm ok with that.”
Anything else, Swire said, is a violation of that law. He also said even if parents are properly notified, they need to be aware of how the information collected is stored.
“It's going to the cloud. That's the basic thing for so many of our devices,” Swire said. “One of the things with COPPA is the company is only supposed to keep the information that's related to the service.”
Information collected by children’s toys has been compromised before. In 2015 V-TECH toys was hacked, exposing over 6 million child profiles. Months ago, security researchers discovered user information collected by CLOUDPETS, owned by Spiral Toys, was left exposed in a way that would allow people to gain access to voice recordings.
“The Federal Trade Commission says all the companies should use reasonable practices when it comes to security. If you're guarding kids’ data, the penalties are bigger and you probably have to be more careful,” Swire said.
McDonald said the best way to keep your child’s privacy secure is not giving it out in the first place.
“It's really more of a problem of how we as Americans view our privacy and we keep giving more and more information out. Eventually we're not going to have any more privacy if we don't stop,” McDonald said.
Swire said anytime you bring a connected toy into your home, make sure you’re asked for verifiable consent.
“If you're a parent and you're not seeing that, then you are dealing with a company that's probably breaking the law,” Swire said.
Channel 2 reached out to Genesis Toys and Spiral Toys, but so far has not received a response. A statement from Nuance Communications, the company named in the same complaint as Genesis Toys, can be found below.
"Nuance takes data privacy seriously. With that in mind, we would like to share a handful of important points with our customers, investors, media and our employees.
We have not received an inquiry from the FTC or any other privacy authority regarding this matter, but will respond appropriately to any official inquiry we may receive. Our policy is that we don’t use or sell voice data for marketing or advertising purposes. Upon learning of the consumer advocacy groups concerns through media, we validated that we have adhered to our policy with respect to the voice data collected through the toys referred to in the complaint. Nuance does not share voice data collected from or on behalf of any of our customers with any of our other customers. We have made and will continue to make data privacy a priority."