A number of popular internet-connected toys including children’s tablets, a talking stuffed bear and smartwatches are vulnerable to hacking that could expose information about the child and the parents’ credit cards, according to a new cautionary report released Wednesday by U.S. Sen.Ā Bill Nelson.
Nelson’s report, “Childrenās Connected Toys: Data Security and Privacy Concerns,” which he produced as ranking member of the U.S. Senate’s Committee on Commerce, Science and Transportation, reports that a toy tablet maker already has been hacked and other popular smart toy products’ companies appear to have similar vulnerabilities.
The late 2015 hack was atĀ VTech Electronics, a leading manufacturer of electronic learning toys and baby monitors, reportedly expensingĀ the personal information of more than 6 million children around the globe, including their names, genders and birth dates, as well as photographs and account passwords.
Nelson’s report also specifically cites security flaws found in two other popular childrenās toys ā Fisher-Priceās Smart Toy Bear and hereOās GPS watch ā which could have exposed not only a childās personal information but in the case of the GPS watch, a childās real-time physical location as well.
āItās frightening to think that our childrenās toys can be used against them in this way,ā Nelson, the Florida Democrat, stated in a news release Wednesday. āThe companies that make these toys have to do more to safeguard the parents and children who use them.ā
The report warns that there appears to be an increased in hacker activity targeting children, despite heightened federal law to protect children’s privacy.
“A number of factors make children a particularly attractive target for identity thieves,” the report states. “A childās identity is a āblank slateā that can be fraudulently used over a long period of time without detection. Parents generally do not monitor their childrenās credit histories and thus may not know for years that an identity thief has victimized their child.
“Personal information about children may also be more readily available as children and parents often fail to appreciate the potential consequences of sharing this information through social media or connected toys and devices.”
Nelson cautioned parents to consider the risks during the holiday season. According to the report, various internet-connected toys have been shown to collect and thereby put at risk a variety of information,Ā including:
* a child’s name, birth date, gender, profile picture, chat messages, call logs and internet history;
* parents’ email address, gender, profile picture, chat messages, credit card information, phone number, Wi-Fi password and IP address.
Nelson’s report said other companies’ products also appear to be vulnerable.
He cautionedĀ that, if possible, parents buying any smart toy should learn in advance what personal information the toy will collect, how that information will be used, whether it will be shared with others outside the toy manufacturer, and how long it will be retained. This information can usually be found in the toy’s privacy policy, the long, small-print legal statement many consumers typically ignore.
Parents, Nelson urged, also should change default passwords that come with toys and install any available software updates; and change, if possible, the toy’s default privacy settings to limit the amount of personal information it provides to the manufacturer, allowing only information necessary for the toy to function.
