Parents warned must-have Christmas children's smart toys are vulnerable to hackers

The privacy policies of 15 of them said it shared data with third parties.

Almost two thirds of popular smart toys shared data with third parties like advertising firms.

Some of 25 popular toys checked out by The Times were the Furby Connect, Sphero BB-8 Robot and the Parker teddy bear.

In 28 per cent of cases the manufacturers did not say if children’s data was protected with encryption.

Smart toys typically connect directly to the internet or sync to a user’s smartphone and are becoming increasingly popular with a booming industry worth £4.8billion a year.

Concerns over smart toys and their data-security measures started in 2016 after experts warned that the microphone-enabled My Friend Cayla doll was accessible over an unsecured Bluetooth connection.

It  was also reported that it allowed strangers to listen and talk to children.

It is believed that 2.2million voices of children were accessed by hackers after they were collected by Cloud Pets.

The Times data team analysed 25 toys including robots, drones, soft toys, games consoles and watches.

Some of toys analysed

My Friend Cayla doll: Banned in Germany last year and regulators warn predators can connect to the toy via Bluetooth to eavesdrop or speak

Furby Connect: Tracks location and app can connect to your phone's camera

Sphero BB-8 Robot: Personal data can be shared and tracks location

DJI Drone: Does not use encryption and possible for hackers to access location and footage from drone

Vtech InnoTab Max tablet: Note in privacy police warns data can transferred to other countries

Parker teddy bear: Comes with phone app that collects data

SoundMoovz: Mozilla Foundation warns of "red flag" with unanswered privacy and security questions

Cloud Pets: About 2.2million voice recordings were collected insecurely and then accessed by hackers

Nine toys had a built-in camera or microphone and four of them had both.

In 14 of them, the toys were able to connect to a phone app and requested access to a phone camera, location data or microphone.

The privacy policies of 15 of them said it shared data with third parties.

The average privacy policy of each toy was 3,026 words.

In 12 of the cases it was not possible for The Times investigation team to find information to assess the toy’s safety.

Furthermore, in nine cases it was not clear if the toys used encryption and when approached by The Times, two companies said they did.

The remainder did not respond to The Times.

The toys studied by The Times included the £90 Vtech InnoTax Max tablet that is advertised for children between the ages of three to nine.

It has a camera and microphone and shares data with an unknown number of third parties.

The Chinese company’s privacy policy tells parents and guardians that using the product could result in their data being transferred to countries that don’t have the same protection laws as the UK.

Sure Cloud, a security company, discovered the tablet could be hacked remotely to spy on kids.

Vtech has issued a “patch” to address the issue, but three years ago the company had a security breach where photos of children were exposed.

On the hack of its tablet, Vtech told The Times: “We took immediate action to resolve the issue and pushed out a firmware upgrade to all affected devices in Europe.

“The safety of children is our top priority and we are constantly looking to improve the security of our devices.”

The DIJ Spark Selfie drone does not use encryption, according to the not-for-profit online policy organisation Mozilla Foundation.

The researcher Check Point reported that hackers would be able to access data stored in the drone’s cloud servers, which includes flight logs, location information, and photos and videos from drone flights.

The Chinese company reportedly fixed the vulnerability before it was made public.

In a third toy, the Parker teddy bear requires users to download an iPad app and it requests permission to access the user’s camera.

Seedling, the manufacturer, collects data on the user’s location when they log into the app.

They also collect data from Facebook accounts if the user signs up via Facebook.

Their privacy policy says it cannot guarantee the security of the information they collect.

In Seedlings terms it states it is “expressly authorised to make any commercial use of the analytical data, including sharing [the data] with third parties” if it is anonymised.

Anne Longfield, the children’s commissioner for England, told The Times: “Children and parents should be able to make informed choices about how children’s data is used by toy companies, and they cannot do that if manufacturers are not being transparent.

“I want toy companies to simplify their terms and conditions so they can be understood by children and parents and to make clear on packaging if a toy captures a child’s audio or video, and how that information might be used.”

Sara Nelson, of Privacy International, added: “These companies must stop exploiting people’s data.”

The Sun Online approached Seedling, SoundMoovz, My Friend Cayla doll, Vtech and DJI for comment.

Source: Read Full Article