Donate
This Holiday Season, Make Sure Your Smart Toy Isn’t a Toy Soldier Thumbnail
‹ Back
Internet of Things (IoT) 20 December 2017

This Holiday Season, Make Sure Your Smart Toy Isn’t a Toy Soldier

Ryan Polk
By Ryan PolkPolicy Advisor

In the classic holiday story The Nutcracker, toy soldiers under command of a nutcracker spring to life to fight an army of evil mice. With the growth of smart toys, armies made up of toy “soldiers” could soon become reality. Using the same features that make them “smart,” smart toys can be taken over by outside actors and forced to do their bidding.

But rather than being led by a nutcracker to fight off evil rodents, real armies of toys could be led by criminals to attack you or me.

“Smart toys” (Internet or Bluetooth-enabled toys) are some of the most popular toys this holiday season. Internet or Bluetooth functionality enables smart toys to have amazing features. There are:

  • stuffed animals that play back messages sent from loved one’s smartphones
  • robots that teach children how to code
  • toys integrated with apps that teach reading and spelling skills while still providing physical exercise

Smart toys can do incredible things. Yet, if left unsecured, they not only present real privacy risks to the children and families who use them, but also security risks to everyone who relies on or uses the Internet.

Any Internet-connected device, be it a computer, connected thermostat, or smart toy, is at risk of being taken over by criminals if it is not secured properly. Some criminals may take over devices to steal information or spy on their users. Others will take control of devices to use in other crimes. Criminals build huge armies of bots (infected devices), called “botnets.” They use botnets to send spam emails, spread viruses, and attack other users, websites, infrastructures, and even other connected toys.

It is difficult to tell “bot” from “not.”  The same Internet-connected stuffed animal your child plays with by day could be part of a botnet carrying out attacks on others by night. 

Sometimes, bots will act differently than normal – perhaps a smart toy seeming to react to non-existent commands or making noises at odd times. However, even if a smart toy is part of a botnet, it could seem to function perfectly normally. For the more technically savvy users, it is possible to monitor the Internet traffic coming to and from the device to detect strange activity. Yet for the average user, it can be difficult to determine if their toy is part of a botnet, which makes good preventative security the best defense.

It is critical to take steps to prevent your smart toy from becoming part of a botnet. Here are five steps you can take:

  1. Buy secure. It is always easier to keep a smart toy secure if it has been built to be secure. Consumer organizations and others review connected devices and toys as part of their buying guides. Mozilla and Which? both released buying guides for smart toys this holiday season.
  2. After you buy it, keep up with updates. Even if a smart toy is secure when you buy it, you have to keep up with updates to keep it secure. When buying a device, make sure it can be updated. Another factor to consider is how long the software will be supported.
  3. Use a strong password. If the smart toy or app comes with  password protection, make sure you use a strong password. Do not just use the default password, a simple guessable password, or a password that uses easily accessible personal information. For example, that means do not use “1234” or “password” or your mother’s maiden name. Criminals have lists of common passwords that they try when attempting to gain access to devices. Do not reuse passwords, especially to secure critical devices in your house or your personal information. Use a password manager to remember the password (for toys and other home devices, maintaining passwords in a securely stored notebook is a fine solution) or use a passphrase that is easy remember.
  4. Turn off the smart toy or disconnect it from the Internet when not in use. To minimize the risk your smart toy may pose to others, turn it off or disconnect it when no one is playing with it.
  5. Take steps to make your home network more secure.  By protecting your home network, you limit your smart toy’s exposure to online threats and help mitigate the risk a smart toy bot on your network may pose to others. An easy way to make your network more secure is by using encryption, a strong password, and firewall for your home WiFi network. Firewalls are often built in to routers and only have to be turned on.

This holiday season, leave the toy soldiers to the fairy tales and keep your smart toys out of botnets. We all have a part to play in keeping the Internet safe. If done by many, even the smallest of actions, from updating a teddy bear to using a stronger password, can have a big impact.

Are you a manufacturer wondering how to make your products more secure? See the Online Trust Alliance’s IoT Trust Framework, which provides guidance for device manufacturers and developers to enhance the security, privacy, and sustainability of their devices and the data they collect.

For more information on strong passwords and how to create them, see the How-to-Geek article How to Create a Strong Password (and Remember It).

Want to do even more? Create a device white list for your router. With a white list, only the devices with approved MAC addresses are be able to use your network. For other advanced tips on how to better protect your home network, and the devices on it, see the Tom’s Guide article How to Secure Your (Easily Hackable) Smart Home.

‹ Back

Related articles

When It Comes to Smart Toys, It Pays to Shop Smart
When It Comes to Smart Toys, It Pays to Shop Smart
Internet of Things (IoT)24 November 2017

When It Comes to Smart Toys, It Pays to Shop Smart

When your in-laws give your child a loud toy for the holidays, you know you are going to have to...

The Internet of Insecurity: Can Industry Solve It or Is Regulation Required?
The Internet of Insecurity: Can Industry Solve It or Is Regulation Required?
Internet of Things (IoT)28 February 2017

The Internet of Insecurity: Can Industry Solve It or Is Regulation Required?

That was the question Bruce Schneier and I were asked by Craig Spietzle of the Online Trust Alliance (OTA) during...

Holiday DDoS Attacks: Targeting Gamers (Plus Five Things You Can Do)
Holiday DDoS Attacks: Targeting Gamers (Plus Five Things You Can Do)
Security7 January 2017

Holiday DDoS Attacks: Targeting Gamers (Plus Five Things You Can Do)

Over the past few years, a new tradition has emerged, the Holiday DDoS Attack. While distributed denial of service (DDoS)...

Join the conversation with Internet Society members around the world