Your Christmas gifts are probably already open, but cybersecurity experts warn that a new toy or gadget could be opening your home to hackers and identity thieves.
“You may buy a teddy bear that has voice control, and for that voice control to operate, it needs a microphone and it also has a speaker,” said CEO and Co-Founder of Keeper Security, Darren Guccion. “Within the toy itself, it has a series of processors which consist of hardware and software, as well as a storage device. That information permeates across a multitude of OEM (original equipment manufacturer) devices and toys throughout the industry. An Echo Dot is a device that a lot of us use today. That type of technology is often implemented in a plethora of different toys for children.”
Guccione warns that any toy or device with the ability to connect to WiFi or Bluetooth could pose risks. Bluetooth has a different protocol than WiFi, but both security protocols are equally as important, according to Guccione.
Some devices and toys both popular with kids and considered risky by cybersecurity experts were put on “The Naughty List,” which was created by the nonprofit ParentsTogether.
One of the devices on the list is the KidiBuzz 3 Smart Device, which is targeted for kids ages 4 to 9.
The Federal Trade Commission fined VTech, the device manufacturer, $650,000 for allegedly collecting “personal information of hundreds of thousands of children... without providing direct notice and obtaining their parents’ consent.”
Data is often referred to as “the new gold,” which is why companies are incentivized to collect it.
“For market research, there’s a tremendous value to understand children as they progress over the course of time and grow into an adult; understanding how they transact, and what type of device has great value. Organizations purchase this type of private and sensitive information for market research and targeting. This is a very common practice and this information is worth billions of dollars annually,” Guccione said.
If data is the new gold, it also explains why cybercriminals are rushing to gather it.
“Personal identifiable information is valuable in the Dark Web — think of it like this marketplace for cybercriminals to interact, to buy and sell personal, identifiable information,” Guccione said. “They used this information to target their attacks and victims.”
When buying a toy or gadget, it’s important to purchase it from a verified source.
“A toy is a perfect device to plant malware on. Malware creates what’s called a Botnet,” Guccione said. “When you have millions of connected devices, such as toys that have malware installed, a cybercriminal will use a command server (it’s like a computer.) That will direct all these toys that are infected with this malware, then target that web traffic to a website. We call this a distributed denial of service attack, or a DDOS attack. DDOS attacks are used by cybercriminals to take down organizations and websites. And it’s a very effective way to initiate another type of attack, which you’ve probably heard of: ransomware.”
Some more tips from Guccione and Keeper Security:
- Parents should never hand over a device (such as a tablet) to their children without properly setting it up. Always set it up before gifting it.
- When setting up a device, learn, understand, and implement parental controls.
- Never use the admin or default password on a smart toy. Always use a high-strength password with at least 10 characters, including numbers, letters, and symbols.
- Use two-factor authentication whenever possible.
- Only provide personal information that is necessary for a device to operate. In many cases, providing personal information is optional and not required to use a device or toy.
“Because of the level of sophistication with children, parents from a different era tend to not engage with something that they don’t naturally understand,” Guccione said. “They’ll hand a new toy to a child and say, ‘Here you go, Merry Christmas!’ Then they unwrap the toy, start ripping the box open, and (the kids) self register. (That) is extremely dangerous.”
©2023 Cox Media Group
