The toys your kids unwrap this Christmas could invite hackers into your home.
That Grinch-like warning comes from the FBI, which said earlier this year that toys connected to the internet could be a target for crooks who may listen in on conversations or use them to steal a child’s personal information.
The bureau did not name any specific toys or brands, but it said any internet-connected toys with microphones, cameras or location tracking might put a child’s privacy or safety at risk. That could be a talking doll or a tablet designed for kids. And because some of the toys are being rushed to be made and sold, the FBI said, security safeguards might be overlooked.
Security experts say the only way to prevent a hack is to not keep the toy. But if you decide to let a kid play with it, there are ways to reduce the risks:
Do your research
Before opening a toy, search for it online and read reviews to see whether there are any complaints or past security problems. If there have been previous issues, you may want to rethink keeping it.
“You shouldn’t use it,” said Behnam Dayanim, a partner at the Paul Hastings law office in Washington and co-chair of its privacy and cybersecurity practice.
Companies can change their privacy policies, so read them again if you’re notified of a change.
Use secure Wi-Fi
Make sure the Wi-Fi the toy will be connected to is secure and has a hard-to-guess password. Weak passwords make it easier for hackers to access devices that use the network. Never connect the toy to free Wi-Fi that’s open to the public. And if the toy itself allows you to create a password, do it.
Power it off
When the toy is not being used, shut it off or unplug it so it stops collecting data.
“They become less of an attractive target,” said Alan Brill, who is a cybersecurity and investigations managing director at consulting firm Kroll in Secaucus, New Jersey.
If the item has a camera, face it toward a wall or cover it with a piece of tape when it’s not being used. Toys with microphones can be thrown in a chest or drawer where it’s harder to hear conversations, Brill said.
Register, but don’t give away info
A software update may fix security holes, and you don’t want to miss that fix, Brill said.
But when registering, be stingy with the information you hand over; all they need is contact information to let you know about the update. If they require other information, such as a child’s birthday, make one up. “You’re not under oath,” said Brill. “You can lie.”
If the toy or device allows kids to chat with other people playing with the same toy or game, explain to children that they can’t give out personal information, said Liz Brown, a business law professor at Bentley University in Waltham, Massachusetts, who focuses on technology and privacy law.
Discussions are not enough; check the chat section to make sure children aren’t sending things they shouldn’t be, Brown said. People could be pretending to be kids to get personal information. “It can get creepy pretty fast,” said Brown.
Reputable companies that make toys with microphones will offer ways for parents to review and delete stored information. Take advantage of that.
If a toy was compromised by a hacker, the FBI recommends reporting it online through its internet crime complaint center at IC3.gov.