Playtime is over: Can smart toys ever be safe?

The Internet of (play)things will take center stage at the RSA security conference in San Francisco. Don't look for easy answers.

Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
2 min read

Remember Chucky? The sinister toy with the soul of a serial killer who starred in six slasher films? That toy creeped us out as it tried to transfer its soul onto a human victim.

But Chucky was so last century. This century's creepy toys pose a different sort of danger: transferring information about the kids who play with them to hackers.

That's what happened in November, when someone broke into the customer accounts of VTech, which makes connected toys, games and tablets for young children. That breach affected 6.4 million children around the world.

The Hong Kong toymaker subsequently changed the terms and conditions of its products, limiting its liability "for the acts of third parties," it said in a statement. "No company that operates online can provide a 100 percent guarantee that it won't be hacked."

Troubling, no?

But it's not just connected toys that are vulnerable. The problem applies to any device within the broad trend called the Internet of Things, the notion of tying any and every thing into the Net. Billions of sensors will be built into appliances, security systems, health monitors, door locks, cars and wearables, all sending mountains of data that could be scooped up if not secured. Research firm Gartner expects sensors will be embedded in 6.4 billion devices of some kind or another this year alone, more than tripling to 20.8 billion connected things by 2020.

Which explains why the Internet of Things will be one of the hottest topics at next week's RSA conference of cybersecurity experts, held every year in San Francisco. At issue: Device makers need a system to thoroughly vet the security of their products before they ship, and they need to set up hotlines and response protocols when researchers find problems. Security pros complain that many manufacturers compromise safety for the sake of ease of use.

For many people, toys epitomize IoT's potential dangers. To be fair, though, their vulnerabilities sometimes seem more sensational than they actually are. Consider Mattel's $75 Hello Barbie. In December, security researcher Matt Jakubowski said he'd discovered a flaw in the toy's software that could allow hackers to pinpoint doll owners' home addresses. To do that, though, they'd have to be on the same Wi-Fi network.

In February, cybersecurity company Rapid7 found that the Fisher-Price Smart Toy, a plush little teddy bear that can hold conversations with children, could leak parents' and kids' data. Fisher-Price is a subsidiary of Mattel.

Et tu, Teddy?

Tod Beardsley, one of the Rapid7 researchers who identified the flaws in the Fisher-Price Smart Toy, said most companies making connected devices -- not just toys -- aren't paying close enough attention to security.

"We're going to see this over and over again," he said. Beardsley even worries when he doesn't hear about security problems associated with connected devices. That's because companies that aren't reporting flaws probably aren't playing close enough attention.

"You're signing up for this, so you need to step up," he said.