Kids’ toys have serious privacy problems

Think connected toys for kids are more secure than those for adults? Think again.

Kids' toys have serious privacy problems

Considering the sweeping regulations and laws meant to safeguard children’s privacy in particular, you might think electronic devices and connected toys for kids would be particularly safe and secure. We generally regard children’s privacy as sacrosanct — kids are particularly vulnerable to advertisers, marketers, predators, and more.

Kids' toys have serious privacy problems

With each new data leak brought to light, it becomes ever more clear that we cannot trust manufacturers to take care of our security, or the security of our children. Let’s analyze a couple of examples to understand the nasty surprises smart toys can hold.


In December 2016, privacy advocates filed a complaint with the US Federal Trade Commission against Genesis Toys, producer of Cayla dolls and i-Que toy robots. Another defendant was Nuance Communications, the company behind the speech-recognition technology enabling the toys to converse with kids.

The plaintiffs were quite clear from the start: “This complaint concerns toys that spy.

Let’s examine the elements of the claim:

  • The app Cayla dolls use to interact requires permission to access files stored on a device, and i-Que’s app asks for permission to access the device’s camera. The vendor does not explain why the apps need those permissions. Moreover, permission to access the camera is not cited on the official website or in the demo video.
  • To connect to a smartphone or tablet, the toys use Bluetooth, an insecure connection that does not require authentication. In addition, the toy does not notify users when it connects to a device. This insecurity can allow an intruder not only to eavesdrop but also to talk to the kid.
  • The toys advertise, mentioning various brand names during conversation.
  • The Cayla doll app prompts kids to provide personally identifiable information: parents’ names, place of residence, name of school, and more.
  • Both apps send recordings of conversations to Nuance Communication’s servers, where they are analyzed to improve responses. The recordings are stored on the servers, again for the purpose of improving the service.
  • Vendors fail to clearly explain what kind of data they gather from kids.

Genesis Toys’ spying capabilities were sufficient cause for German regulators to ban their sales entirely. Owners of insecure toys were urged to get rid of them. The German government identifies such toys as concealed surveillance devices, which are prohibited by law.

In December 2016, the Consumer Protection Board of Norway also expressed its concern about privacy issues in Cayla dolls and i-Que robots.

By contrast, the British Toy Retailers Association commented to the BBC that Cayla “offers no special risk.”


In another security incident, “leak” comes nowhere close to describing the magnitude of the breach. To extend the metaphor, it was a catastrophic dam break that caused a flood, or even a deluge, of personal data. Or, to be painfully precise, there was no dam to begin with.

Spiral Toys’ CloudPets are plush animals that exchange messages between kids and parents. The toy connects to parents’ smartphones over Bluetooth, and parents use a special app to connect to the toy.

It may be a great way for parents to stay in touch with their kids, but the content gathered by the system was not properly secured. The database of user credentials was not protected at all. Anyone could connect to the server without authentication, look up the data, or duplicate the database and store it on another computer.

Security researcher Victor Gevers noticed the issue and notified the vendor on December 31, 2016. Then Troy Hunt, a renowned security expert, received from an anonymous source a file containing more than half a million CloudPets user records. In addition to the child’s name, each record contained a birth date and information on relatives the kid talked to through the toy. The overall count of compromised CloudPets user records surpassed 800,000.

An outsider in possession of the password can download all messages sent through the toy. Unlike the other data, users’ passwords were hashed to protect them. Hashing provides some protection, although brute-force attacks can still reveal passwords, particularly simple ones.

Unfortunately, it’s also quite possible to eavesdrop on conversations without the password. As it turned out, the recordings of messages and images were stored in the cloud on an Amazon S3. An attacker had only to click a link from the compromised database to get a sound file from the server. The total number of available recordings surpassed 2,000,000.

Of course, it wasn’t only white hats who learned about the insecurity. The server storing kids’ data turned into a mess, with database copies being deleted and ransom demands made. The database was subsequently taken down, although copies could still be out there.

Spiral Toys did not respond to the people trying to notify it about the problem, which included Gevers, Hunt, Hunt’s informant, and reporter Lorenzo Franceschi-Bicchierai. Then, in March 2017, the US Senate requested Spiral Toys come clean on the data leaks and its data-protection policies. Troy Hunt published the text of the request.

Spiral Toys finally responded — to the Attorney General of California. published the response. The company said it was made aware of the incident on February 22 by Franceschi-Bicchierai, who learned about the compromise from an unnamed source. Although a number of security researchers tried to get in touch with the company before February 22, Spiral Toys said it never got those messages and was investigating the cause.

The leak, Spiral Toys pointed out, was part of a massive attack on MongoDB installments all over the Internet. Voice messages and pictures were not affected, said the company, because they were stored on another server. The compromised database was not the main database, it said, but a temporary one used by developers.

Spiral Toys also published a FAQ for users containing the above information and noting the company’s new, stronger password requirements.

Open databases

Other prominent leaks include the database of the official website on the company behind Hello Kitty toys (3,300,000 user records compromised) and the database of VTech’s online store (5,500,000 user records and a huge amount of kids’ photos compromised). Both incidents happened in 2015.

The CloudPets service and Hello Kitty website developers used the MongoDB database management solution, which made a lot of headlines after hackers compromised (or, more precisely, got full control over) tens of thousands of databases.

Owners of hijacked databases may be victims, but they are not innocent. By failing to require authorization, MongoDB left database doors wide open, and by using open databases, manufacturers indicated they didn’t care.

Of course, MongoDB is not the entire problem — the overall state of security needs work. All efforts by regulators, privacy advocates, and security experts simply cannot overcome the speed of new tech adoption and the overall trend of user data devaluation.

By the way, after the compromise of MongoDB, hackers undertook massive attacks of distributed database management systems. Any unprotected database will end up leaked online, and the average user won’t be able to do a thing about it. It’s cold comfort that one database leak was just a temporary, auxiliary database if the data was real. Shutting down a compromised system doesn’t magically make personal data private again.

Tips for parents

Be cautious about giving your kid a smart electronic toy. In particular, note the following red flags:

  • If the toy sends data to the Internet. Many toys do, and the trend even extends to regular stuffed toys.
  • If you can’t control the toy’s actions. At least Cayla dolls have a flashing indicator showing the microphone is on. With mobile apps, you may not even know when they start. Kaspersky Lab has found that 96% of apps start in background mode, even if a user does not launch them.
  • If a toy is equipped with a microphone and a camera. It’s not just advanced teddy bears and robots — this category includes mobile apps with relevant permissions.
  • If a toy pulls personal information out of the kid.
  • If the settings are too simple. For example, a Bluetooth connection does not require authentication.

Even one of these points should be enough to reconsider the balance of connected-toy fun and your child’s privacy.