Final Post on Smart Toy Security and Privacy -16

Throughout the semester I have been researching Smart Toys and the associated security and privacy issues. In order to best understand this topic I started by establishing a working definition for smart toy and built up my understanding from there until I could grasp the intricacies of the security and privacy issues associated with smart toys. My personal favorite definition of a smart toy is was provided by Cyber Security expert Dr. Patrick Hung, he defines smart toys as a device consisting of a physical toy component that connects to one or more toy computing services to facilitate gameplay in the Cloud through networking and sensory technologies to enhance the functionality of a traditional toy. Smart Toys belong to an emerging category of electronic devices known as “IoT” or Internet of Things. Although the term “Internet of Things” first appeared in the literature in 2005, there is still no widely accepted definition. One participant described the IoT as the connection of “physical objects to the Internet and to each other through small, embedded sensors and wired and wireless technologies, creating an ecosystem of ubiquitous computing.” Some examples of IoT devices are clocks, microwaves, radios, and TOYS. These types of electronic devices are becoming increasing sophisticated and are capable of providing technologically advanced solutions for their users with a variety of applications. In addition to internet and networking technologies, smart toys utilize a number of hardware and software assets to perform their operations, several of which have been linked to security vulnerabilities. These vulnerabilities allow hackers or malicious actors to capture data, perform surveillance and monitoring, and commandeer computer systems. In recent years a number a National and International Toy companies have fallen victim to large scale security breaches resulting in the loss of user account information that includes items such as names, addresses, photos, videos, voice-recordings, gps coordinates, as well as other collections a personal information obtained by the devices through voice recordings, analytics, and user input. As a result of the security breaches, many privacy and security watchdog organizations began taking notice of the frequent security and privacy issues associated with IOT devices and smart toys. These watchdog groups have been responsible for exposing security vulnerabilities overlooked or neglected by toy companies. In addition to security analysis, watchdog and advocacy groups provide a channel for individuals to address their security and privacy concerns to government bodies. A recent complaint to the FTC, filed by Campaign for a Commercial Free Childhood (CCFC), the Center for Digital Democracy (CDD), Consumers Union, and the Electronic Privacy Information Center (EPIC), argues that a popular smart toy collects data without proper parental consent, a violation of COPPA the Children’s Online Privacy Protection Act. The security vulnerabilities associated with smart toys present parents with the difficult task of addressing their own cyber security issues. Moving forward parents will need a basic understanding internet privacy practices in order to adequately protect their children.