A number of popular internet-connected toys including children’s tablets, a talking stuffed bear and smartwatches are vulnerable to hacking that could expose information about the child and the parents’ credit cards, according to a new cautionary report released Wednesday by U.S. Sen. Bill Nelson.
Nelson’s report, “Children’s Connected Toys: Data Security and Privacy Concerns,” which he produced as ranking member of the U.S. Senate’s Committee on Commerce, Science and Transportation, reports that a toy tablet maker already has been hacked and other popular smart toy products’ companies appear to have similar vulnerabilities.
The late 2015 hack was at VTech Electronics, a leading manufacturer of electronic learning toys and baby monitors, reportedly expensing the personal information of more than 6 million children around the globe, including their names, genders and birth dates, as well as photographs and account passwords.
Nelson’s report also specifically cites security flaws found in two other popular children’s toys — Fisher-Price’s Smart Toy Bear and hereO’s GPS watch — which could have exposed not only a child’s personal information but in the case of the GPS watch, a child’s real-time physical location as well.
“It’s frightening to think that our children’s toys can be used against them in this way,” Nelson, the Florida Democrat, stated in a news release Wednesday. “The companies that make these toys have to do more to safeguard the parents and children who use them.”
The report warns that there appears to be an increased in hacker activity targeting children, despite heightened federal law to protect children’s privacy.
“A number of factors make children a particularly attractive target for identity thieves,” the report states. “A child’s identity is a “blank slate” that can be fraudulently used over a long period of time without detection. Parents generally do not monitor their children’s credit histories and thus may not know for years that an identity thief has victimized their child.
“Personal information about children may also be more readily available as children and parents often fail to appreciate the potential consequences of sharing this information through social media or connected toys and devices.”
Nelson cautioned parents to consider the risks during the holiday season. According to the report, various internet-connected toys have been shown to collect and thereby put at risk a variety of information, including:
* a child’s name, birth date, gender, profile picture, chat messages, call logs and internet history;
* parents’ email address, gender, profile picture, chat messages, credit card information, phone number, Wi-Fi password and IP address.
Nelson’s report said other companies’ products also appear to be vulnerable.
Parents, Nelson urged, also should change default passwords that come with toys and install any available software updates; and change, if possible, the toy’s default privacy settings to limit the amount of personal information it provides to the manufacturer, allowing only information necessary for the toy to function.