Parents Should Be Cautious With Connected Toys, CR Testing Shows

“We found a number of security and privacy problems with the toys we tested,” says Richter. “None of them pose a major immediate threat to the safety of children, but they follow a trend we see elsewhere with internet-connected devices in that companies could be doing a better job protecting customer data.”

Kurio’s Kurio Watch 2.0+ for kids, which retails for about $40, lets kids play games, take pictures and video, pair their device with a friend’s Watch, or message their friends through a Bluetooth connection to their parent’s phone. An activity tracker and other smartwatch functions are built in.

CR's testing found that the watch uses personal information to establish a Bluetooth connection, creating an identifier based on the first names of both parent and child, along with their favorite colors.

That may not sound like vital data. But if the watch were lost or stolen, or if the Bluetooth signal was picked up by someone nearby, a stranger could end up with personal details that could help him gain a child’s confidence. That may be a remote danger, but it’s one that could easily be avoided if the company were to use a random identifier instead, our testers say.

Secondly, our testers note that there’s no way for Kurio to provide new firmware to the watch to improve security. “That’s something we always look for,” Richter says. “Security updates are a fact of life for nearly any digital product. No software is perfect out of the box.”

Kurio responded to CR’s concerns by pointing out that no information from the watch is transmitted over the internet, reducing the opportunity for a hacker to gain access to personal data. “The watch is not connected to the internet, and the app’s data is stored exclusively on a user’s Android device,” the company said in an emailed statement.

CogniToys’ Dino, which uses IBM’s Watson artificial intelligence platform to converse with young children, was developed by a tech startup based in New York called Elemental Path. The toy received lots of positive buzz when it launched on Kickstarter in 2015, and the product eventually ended up on the shelves and websites of major retailers.

Then, just a few weeks ago, Elemental Path was forced to shut down due to a lack of funding. If you go on the CogniToys website now, you’ll find the Dino listed for sale. But if you click on the “Add to Cart” button, you get a notice that says "Page Not Found."

In an email to Consumer Reports, JP Benini, Elemental Path’s CTO and co-founder, confirmed that the company is no longer selling the toy through its website, and it won’t be able to support Dino toys sold by other retailers.

That means that, like the Kurio Watch 2.0+, Dino toys in consumers’ homes won’t be receiving software updates to protect against emerging security threats.

And CR did find vulnerabilities when we tested the toy—some important information was being transmitted and stored unencrypted, and testers discovered that motivated hackers might be able to steal personal data.

“We have actually remediated some of those vulnerabilities to the best of our ability,” Benini said, but that others couldn’t be fixed because of problems with the hardware vendor the company was using.

And, Benini said, he “would not recommend any further sales until the way through all of this is clearer.”

Nevertheless, the Dino is currently being sold at steeply discounted prices on the websites of major retailers, such as Amazon, Buy Buy Baby, and Walmart, with no mention of Elemental Path’s financial troubles or the acknowledged security flaws.

Consumer Reports' testers evaluated the privacy policies and terms of service for the toys, looking for easy-to-read language and clear instructions for how a parent could delete a child’s data.

(Like most websites, CR.org collects user data. The details are described in our privacy policy; our approach to privacy is outlined here.)

Testers credited the companies with following several good practices. For instance, Cozmo provides clear instructions on how to delete data collected by the manufacturer and clarifies that “Images from Cozmo or the Cozmo App are not stored or transmitted to the cloud.” Other policies tell parents how to opt out of some data collection and how to use parental controls.

Notably, the privacy policy for Kurio isn't displayed on either the Watch or in the companion app. When testers went online to read it, they found that the company’s privacy policy had not been updated since July 3, 2013, three years before the toy entered stores. The document didn’t make reference to the toy.

Kurio told CR that the privacy policy is reviewed annually by the company’s legal team, but that it will start incorporating the privacy policy in next year’s version of the Watch and its companion app.

Without the tools, training, and time to test it, there’s no sure way for parents to know whether a particular connected toy is taking strong measures to safeguard personal data. However, CR’s Richter says the following measures can help you and your kids stay safer.

Limit what data you share. Just because a manufacturer requests your child’s name, gender, birthdate, and favorite color during the registration process, that doesn’t mean you have to provide these details. Not the real information, anyway. In some cases, you can skip questions you don’t want to answer. In other cases, go with made-up details. In its emailed statement, Kurio pointed out, “Parents do not have to enter the child’s first name” when setting up the watch. “They simply need to enter at least one character or can choose any word or alphanumeric combination they would prefer.”

Set strong passwords. All connected toys should require a strong, unique password when you set up an online account or pair the device with your smartphone. But create one even if the toy doesn’t ask. Ideally, use a passphrase made up of several words, and make sure not to use the same one for multiple accounts. No, this isn’t banking data, but it’s still very important and worth guarding.

Talk to your kids. This is an early opportunity to start educating your children about what to share online and what to keep private. Explain that any message, photo, or voice command they give an internet-connected toy could be shared with a big company and stored for a long time. That doesn’t mean they shouldn’t have fun with the toy, but it does mean the device can't be trusted to keep secrets.

Editor’s Note: Our work on privacy, security, and data issues is made possible by the vision and support of the Ford Foundation, the Alfred P. Sloan Foundation, and Craig Newmark Philanthropies. Craig Newmark is a former board member of Consumer Reports.