Main content

Connected toys: not just child’s play

connected toys

Dr Victoria Nash of the Oxford Internet Institute, gives advice on the security risks of smart toys that talk to the internet.

In early 2015, Ken Munro, a security researcher from Pentest, demonstrated that something was amiss with Vivid Toy’s talking doll Cayla.

The angelic-looking internet-connected doll was designed to use speech recognition software to ‘listen’ to its child owner, before searching online via a Bluetooth app on a parent’s phone for a supposedly safe and appropriate response.

‘Cayla’s software could be hacked, potentially turning her into a potty-mouthed liability by changing her database of appropriate response’

Unfortunately, Cayla proved less than angelic in practice. Munro’s security tests revealed that Cayla’s software could be hacked, potentially turning her into a potty-mouthed liability by changing her database of appropriate responses.

Even more worryingly, Munro’s team demonstrated that the Bluetooth app used to connect to a parent’s phone was itself also insecure, leading to the possibility that a nearby stranger with sinister intent could themselves connect to the doll.

When toys are hacked

Whilst we have no evidence that any child came to harm playing with Cayla, this is not an isolated incident. Several other toy companies have garnered attention for their similar failure to provide safe online environments for children to play in, or to ensure that data collected is entirely secure. VTech, for example, suffered a massive loss of data in 2015, including pictures and videos of children generated from its toy camera range.

But beyond the alarm caused for the families that bought this doll, Cayla raises a broader issue. Many children’s toys are ‘smart’ now, with various integral features that either enable them to connect directly to the internet (such as CloudPets or Hello Barbie) or to be used alongside additional apps for an enhanced experience (VTech cameras or even Lego).

And whilst most of us are aware that using the internet brings risks of being hacked, or having personal data lost or misused, would we really expect this of our kids’ toys?

Part of the problem is that it’s not necessarily obvious from toy packaging that a ‘smart’ toy will only work if connected to the internet. Even if parents are aware of this requirement, it’s very hard to tell which toy companies take internet security and child safety seriously. Well-established companies such as Lego, who have been in the digital space for several years, have a more mature and better thought-through approach than many others who are newer to the market. But even this offers no guarantee.

What can parents do?

Certainly, the simplest option would be to leave internet-connected toys on the shelf. But this does seem like rather an extreme response, particularly for parents faced with demands from their children. So what else can parents do?

Right now, it’s hard to protect against all risks. One obvious option would be to buy toys from recognised, trusted brands, which might be expected to respond to any observed security flaws, like the criticisms Mattel faced when it released Hello Barbie just before Christmas 2015. 

Another useful tip is to look for online reviews before buying the toy. Concerns about CloudPets were quick to surface, for example, and tech news websites are often ahead of the game.

Finally, it pays to read carefully any information that accompanies a connected toy. There may be options to switch off particular features, or details of what data is collected and how it is used.
In the longer term, we should hope that pressure from consumer rights groups and even governments might encourage toy companies to place easy-to-understand details of internet connectivity and data use on the packaging.

Ultimately, perhaps the most important point is that we shouldn’t be lulled into a false sense of security by a toy’s appearance. It may look like a teddy, but if it talks to the internet, then it’s effectively a computer.

Further reading

Kids & the Connected Home: Privacy in the Age of Connected Dolls, Talking Dinosaurs, and Battling Robots (Family Online Safety Institute report)

Is the smart toy you bought your child for Christmas too clever by half?

This doll may be recording what children say

Toys can be tricky

Safe from internet-connected toys?

The advice published on Parent Info is provided by independent experts in their field and not necessarily the views of Parent Zone or NCA-CEOP.

Updated: ​May 2018

Related articles

  • Games, apps and tech

    Talking to your child about being kind online

    The National Crime Agency’s CEOP command offers some scenarios to get the conversation started

  • Games, apps and tech

    Apex Legends: a parent's guide

    Apex Legends is the latest gaming craze on-track to overtake Fortnite as the most popular ‘battle royale’ game. Although its concept and gameplay are similar to Fortnite, there are some key differences you may want to consider before letting your child play it. 

Explore further