I-TEAM: High-tech toys could put your family's safety at risk

Posted at 10:28 PM, Sep 29, 2017
and last updated 2017-09-29 23:28:16-04

It seems harmless enough - a toy that talks and knows your child's name.  But if it connects to the internet, you could be putting your child at risk.  These high-tech toys are great when it comes to playing, but they now also come with an FBI warning.  

Joanna's two kids have the usual haul of toys. 

"They like puzzles and cars and trains and boats," she says.

The one thing you won't find in their house are toys that connect to the internet.

"It's just one little thing I can control," this mom told us.

When Joanna was researching baby monitors, she didn't like the risks that come with ones that connect to Wi-Fi.  

"I just didn't want something that could potentially be hacked," she explained.  

Joanna feels the same way about toys. Many toys are now equipped with voice recognition software, microphones, cameras that connect to the internet. More advanced toys that are also the new focus for hackers.  

Late last year 820,000 CloudPets accounts were hacked.  The toys, which are still on the market, connect to a mobile app.  Parents and kids can send each other messages through the stuffed animals.  The CloudPets data breach included kid's photos and voice recordings.    

"Many had their email addresses in there," Troy Hunt, a security researcher based in Australia, told us in a Skype interview.  He helped expose the CloudPets hack.  

Hunt and other investigators found CloudPets was storing kids' information on an insecure database.  That's like not having a password on your cell phone.  

He warned the problem with these kinds of toys is you have to rely on the manufacturer, and there's really no way to tell if a company is making good security decisions. Hunt said parents should decide if they want to take that kind of chance when it comes to their kids.

"I would not buy a connective toy which has a listening device and sits in their bedroom.  I think that's just a crazy idea," he said.

The risks have caught the attention of the FBI. The agency recently warned parents about these toys when it comes to privacy and physical safety.  

Kevin Bong is a local online security expert with Brookfield based Sikich. He pointed out as soon as you connect to one of these toys you're at risk of being hacked. Bong set up a demo for us - a child sending a message through a stuffed bear. He intercepted that message on its way to the cloud. Then Bong used it to search for other messages in different accounts.

"It's not a ton of work, it's minutes to hours of work if you know what you're doing and the payoff can be pretty big," Bong commented.

Those messages can lead a hacker to personal account information like email or mailing addresses, and birth dates. Joanna doesn't like the risk and will continue to keep it simple in the toy department.  

"It's just one less thing for me to be concerned about with their safety, because there's so many other things to worry about."

There was another big toy manufacturer hack less than two years ago.  VTech, which sells electronic toys, also had a flaw that leaked millions of consumers' information.  Like kids names, gender, and birth dates.  Parent's password information, email and home addresses were also exposed.  

There's no real way to protect yourself from a breach, but the FBI does recommend only connecting toys to a secure Wi-Fi, monitor your child's use, and turn off the toy when it's not being used.