Parents Should Be Cautious With Connected Toys, CR Testing Shows
Some toys may transmit data without encryption, have other security flaws
When children unwrap holiday gifts these days, they may find internet-connected robots and talking teddy bears alongside classic board games or Lego sets. These digital products can be fun and even educational, but they also present some privacy and security risks you don’t find in old-fashioned toys.
“Any product with a WiFi or Bluetooth connection potentially can get hacked, whether it’s meant for children or adults,” says Robert Richter, who leads privacy and security testing at Consumer Reports. As our researchers have seen in the lab, many digital products collect and store information that can later be used by companies for marketing or just to develop new products.
To assess how the new generation of smart toys addresses digital-age concerns, Consumer Reports bought and tested a small sampling of connected toys. Our test included a smartwatch for kids made by Kurio; CogniToy’s Dino, a child-oriented smart speaker in a dinosaur’s body; Anki’s Cozmo, a robotic toy; and the Sphero SPRK+, a robotic ball.
All of them are available for sale this year; all of them can share data with smartphone apps; and as a group, they are targeted at children 5 to around 8 years old.
CR's testing shows that such products can carry some risks for children’s data privacy and security. Based on our results, our experts have a few suggestions that parents can follow.
Parents Need Better Information
“We found a number of security and privacy problems with the toys we tested,” says Richter. “None of them pose a major immediate threat to the safety of children, but they follow a trend we see elsewhere with internet-connected devices in that companies could be doing a better job protecting customer data.”
Low-Price Toy, With Minimal Security
Kurio’s Kurio Watch 2.0+ for kids, which retails for about $40, lets kids play games, take pictures and video, pair their device with a friend’s Watch, or message their friends through a Bluetooth connection to their parent’s phone. An activity tracker and other smartwatch functions are built in.
CR's testing found that the watch uses personal information to establish a Bluetooth connection, creating an identifier based on the first names of both parent and child, along with their favorite colors.
That may not sound like vital data. But if the watch were lost or stolen, or if the Bluetooth signal was picked up by someone nearby, a stranger could end up with personal details that could help him gain a child’s confidence. That may be a remote danger, but it’s one that could easily be avoided if the company were to use a random identifier instead, our testers say.
Secondly, our testers note that there’s no way for Kurio to provide new firmware to the watch to improve security. “That’s something we always look for,” Richter says. “Security updates are a fact of life for nearly any digital product. No software is perfect out of the box.”
Kurio responded to CR’s concerns by pointing out that no information from the watch is transmitted over the internet, reducing the opportunity for a hacker to gain access to personal data. “The watch is not connected to the internet, and the app’s data is stored exclusively on a user’s Android device,” the company said in an emailed statement.
A Company Fails and a Toy Gets Stranded
CogniToys’ Dino, which uses IBM’s Watson artificial intelligence platform to converse with young children, was developed by a tech startup based in New York called Elemental Path. The toy received lots of positive buzz when it launched on Kickstarter in 2015, and the product eventually ended up on the shelves and websites of major retailers.
Then, just a few weeks ago, Elemental Path was forced to shut down due to a lack of funding. If you go on the CogniToys website now, you’ll find the Dino listed for sale. But if you click on the “Add to Cart” button, you get a notice that says "Page Not Found."
In an email to Consumer Reports, JP Benini, Elemental Path’s CTO and co-founder, confirmed that the company is no longer selling the toy through its website, and it won’t be able to support Dino toys sold by other retailers.
That means that, like the Kurio Watch 2.0+, Dino toys in consumers’ homes won’t be receiving software updates to protect against emerging security threats.
And CR did find vulnerabilities when we tested the toy—some important information was being transmitted and stored unencrypted, and testers discovered that motivated hackers might be able to steal personal data.
“We have actually remediated some of those vulnerabilities to the best of our ability,” Benini said, but that others couldn’t be fixed because of problems with the hardware vendor the company was using.
And, Benini said, he “would not recommend any further sales until the way through all of this is clearer.”
Nevertheless, the Dino is currently being sold at steeply discounted prices on the websites of major retailers, such as Amazon, Buy Buy Baby, and Walmart, with no mention of Elemental Path’s financial troubles or the acknowledged security flaws.
Uneven Privacy Policies
Consumer Reports' testers evaluated the privacy policies and terms of service for the toys, looking for easy-to-read language and clear instructions for how a parent could delete a child’s data.
Testers credited the companies with following several good practices. For instance, Cozmo provides clear instructions on how to delete data collected by the manufacturer and clarifies that “Images from Cozmo or the Cozmo App are not stored or transmitted to the cloud.” Other policies tell parents how to opt out of some data collection and how to use parental controls.
What Parents Can Do
Without the tools, training, and time to test it, there’s no sure way for parents to know whether a particular connected toy is taking strong measures to safeguard personal data. However, CR’s Richter says the following measures can help you and your kids stay safer.
Limit what data you share. Just because a manufacturer requests your child’s name, gender, birthdate, and favorite color during the registration process, that doesn’t mean you have to provide these details. Not the real information, anyway. In some cases, you can skip questions you don’t want to answer. In other cases, go with made-up details. In its emailed statement, Kurio pointed out, “Parents do not have to enter the child’s first name” when setting up the watch. “They simply need to enter at least one character or can choose any word or alphanumeric combination they would prefer.”
Set strong passwords. All connected toys should require a strong, unique password when you set up an online account or pair the device with your smartphone. But create one even if the toy doesn’t ask. Ideally, use a passphrase made up of several words, and make sure not to use the same one for multiple accounts. No, this isn’t banking data, but it’s still very important and worth guarding.
Talk to your kids. This is an early opportunity to start educating your children about what to share online and what to keep private. Explain that any message, photo, or voice command they give an internet-connected toy could be shared with a big company and stored for a long time. That doesn’t mean they shouldn’t have fun with the toy, but it does mean the device can't be trusted to keep secrets.
Editor’s Note: Our work on privacy, security, and data issues is made possible by the vision and support of the Ford Foundation, the Alfred P. Sloan Foundation, and Craig Newmark Philanthropies. Craig Newmark is a former board member of Consumer Reports.