FBI warns parents of serious privacy and safety risks that come with internet-connected children's toys

The US Federal Bureau of Investigation has warned that children's toys connected to the internet come with serious privacy and safety risks. In an advisory posted on the agency's website on Monday (17 July), the FBI said smart toys and similar entertainment devices for children often contain sensors, microphones, cameras, speech recognition, GPS options and data storage that could disclose significant personal information.

Some toys with microphones, for example, could record information such as child's name, school, likes and dislikes, activities and other data, the agency said.

Besides the personal information collected from users when creating a new account, the FBI said companies also collect other additional user data such as voice messages and recordings of conversations, real-time and previous locations, internet usage history as well as internet addresses and IPs.

"The exposure of such information could create opportunities for child identity fraud," the FBI warned. "Additionally, the potential misuse of sensitive data such as GPS location information, visual identifiers from pictures or videos, and known interests to garner trust from a child could present exploitation risks."

The FBI also raised concerns over the potential of hackers exploiting these toys to spy on users.

"Communications connections where data is encrypted between the toy, Wi-Fi access points, and internet servers that store data or interact with the toy are crucial to mitigate the risk of hackers exploiting the toy or possibly eavesdropping on conversations/audio messages," the advisory read.

Hackers could also target unprotected Bluetooth-connected toys that do not require PINs or passwords when pairing with a mobile device, the FBI said, in order to gain access to the toy, listen in or even communicate with a child user.

"It could also be possible for unauthorised users to remotely gain access to the toy if the security measures used for these connections are insufficient or the device is compromised," the agency said.

The FBI has urged parents to review toy company user agreement disclosures and privacy practices to find out "where their family's personal data is sent and stored, including if it's sent to third-party services".

"Security safeguards for these toys can be overlooked in the rush to market them and to make them easy to use," the FBI said. "The cyber security measures used in the toy, the toy's partner applications, and the Wi-Fi network on which the toy connects directly impacts the overall user security.

"Voice recordings, toy Web application (parent app) passwords, home addresses, Wi-Fi information, or sensitive personal data could be exposed if the security of the data is not sufficiently protected with the proper use of digital certificates and encryption when it is being transmitted or stored."

The FBI's advisory comes amid growing privacy and security concerns over increasingly popular smart toys and internet-connected devices.

In February, Germany banned the popular My Friend Cayla dolls, manufactured by US company Genesis Toys, over privacy and spying concerns . The country's Federal Network Agency advised parents who bought the Bluetooth-equipped dolls to destroy them or disable its wireless connection. According to technology research firm Gartner, an estimated 8.4 billion "connected things" will be in use globally this year, up 31% from 2016. This figure is expected to reach 20.4 billion by 2020.