Inside the FBI: Internet-Connected Toys Pose Security Risks
August 10, 2017
Experts from the FBI's Cyber Division caution parents about the potential risks associated with their children’s Internet-connected toys and other devices.
Mollie Halpern: Hello, I'm Mollie Halpern of the Bureau, and you're listening to Inside the FBI. Security risks come with the increased use of devices known as the Internet of Things. These devices can send and/or receive data through the Internet—such as smart TVs, baby monitors, and, yes, even toys.
The FBI's Cyber Division's Technology Cyber Intelligence Unit focuses on emerging technology that can impact the FBI's mission and U.S. interests. Joining me today from that unit are Ken Harris, the unit chief; and intelligence analysts Lynn and Jim, who will explain how even toys can be used for egregious purposes.
Lynn, the unit conducted research on how malicious actors could exploit people through Internet-connected toys. What was the process of your research?
Lynn: We collected a couple of different samples of different types of toys. Some that had conversational interaction with us, and some of them that required messaging. And we basically interacted with them as if we were children ourselves. We answered questions, we talked to them—just to get an idea of how they interact with us, how we converse with them, and what kinds of data they collect on us. So, there were two different, specific types that we had: ones that connected to your mobile phone through your Bluetooth connection, and then also ones that connected through WiFi to your home router.
Halpern: Okay, so there were some seemingly harmless questions asked, but ones that could also be considered invasive?
Lynn: Yeah, some of them would ask questions, you know, like, "Where are you going on vacation?" Or, "What are your favorite things?" And those we found, it seemed—you would think that from the general consumer or for children—that would be pretty innocuous. But our concern was, "Well, how could somebody with bad intentions, a bad actor, use that kind of information—that very personal information—that you're sharing with the toy?"
Halpern: So, you had those concerns, but then you also identified other possible vulnerabilities.
Jim: Yes. We found that, like with many devices, users should guard their access credentials to their account, and additionally, the apps that communicate with the servers and with the toys, they could be a point of vulnerability. In addition, personal information of users could be intercepted in transit or where it's stored on company servers in the cloud.
Ken Harris: And that information in the cloud could contain account information done during sign-up, when you created your account or created your children's profile: pictures, geolocations, personally identifiable information. And all that information, if it's unsecured on a web server somewhere, is vulnerable to an intrusion and someone stealing it, and then that information will end up, odds are, on the Dark Web, where it could be sold. And I think when it comes to children's information, parents should realize that not everyone on the Dark Web is interested solely in identity theft.
Halpern: Have we seen these types of incidents?
Lynn: We haven't observed or heard any reporting on specific toys being hacked for any type of targeting of children or use of the data, as far as we know to date. But the concern, of course, is, as we've seen and we've heard of reporting in the past, that there are servers and data that have been compromised from companies, which is of great concern. Because how is that data being used? Where is that data going? As Ken had mentioned just previously, that data's not always used just for identity theft, and that is where we are concerned.
Halpern: Right, and some of that data could have been data from children.
Lynn: Exactly, exactly.
Halpern: We don't want to discourage the buying of these toys, and, of course, the FBI doesn't make any judgment on that. But we do caution parents, and we want them to be vigilant. So how can they do that?
Harris: I think as a parent, you should consider these toys the same as a cellphone or a laptop. It's an Internet-connected device, and as you monitor your children on those devices, you should monitor their interaction with these toys. And if red flags come up—whether it be the app on your phone acting a little strangely or should you find the questions being a little invasive that the toy's asking—it's stuff that you should think about reporting.
Lynn: In addition, I think we should always be aware that there are protections out there that are currently in place. The Federal Trade Commission has the Children's Online Privacy Protection Act that imposes those requirements for companies to secure our children's data. So we should always be aware of the information that's available—publicly available—and that protects us.
Halpern: Okay, so what's the bottom line here?
Lynn: The main take away for us was that devices continue to be connected to the Internet, and technology continues to grow. Those are all wonderful things—innovation is wonderful—but the concern is, as that technology grows, so also grows the potential for compromise, the potential for exploitation. And when we consider that for our children, that just exponentially grows our level of concern.
Halpern: Great information, thanks for sharing your expertise.
If you suspect your child's toys have been compromised, and for more information, visit www.ic3.gov. I'm Mollie Halpern of the Bureau. Thanks for listening to Inside the FBI.