Kids toys aren’t what they used to be: Barbies now have mechanical brains, and gadgets like smartwatches are being made child-friendly. And anything connected to the internet comes with the risk of being hacked or misused to gather sensitive data about its owner—a liability now being passed on to children.
The latest example comes from developer Roy Solberg, who uncovered that the kid-friendly Gator 2 smartwatch he bought for his child could be easily hacked from a web browser. The watch, marketed as “children’s first cellphone,” and provides GPS-enabled location information so caregivers can know where their kids are at all times.
Solberg found by testing his own watch that an attacker could modify the location-tracking feature and download messages sent between parents and children. The attacker only needed the unique serial number given to every internet-connected device, an IMEI number. After confirming the hack himself, Solberg changed just one number of his watch’s IMEI and was able to download a private message from a similar Gator watch in Sweden.
“When you buy a product like this you expect to make them more safe,” Solberg writes in a blog post describing the vulnerability. “But what happens is that you put your child at risk. Any predator can track your kid, and even start see patterns in when a child usually goes to e.g. school or after-school activities.”
This is far from the first gadget marketed towards children that has had major security concerns emerge. In 2015, cybersecurity researchers found that they could hack internet-connected Barbies to spy on the children who played with them. The researchers were able to get direct access to the doll’s microphone, meaning they could record everything the doll heard, as well as system data that allowed access to the entire home wi-fi network.
“You can take that information and find out a person’s house or business. It’s just a matter of time until we are able to replace their servers with ours and have her say anything we want,
Mattel, maker of Barbie, also decided just this month to cancel the release of an upcoming smart speaker aimed at kids, due to privacy concerns. Earlier this year, a smart teddy bear was found to leak 2 million recordings of parents and kids and 800,000 account credentials. Around the same time, Germany banned a smart doll after finding it could be similarly hacked.
The situation has also warranted FBI intervention. In July 2017, the bureau recommended parents think about the implications of any internet-connected toy being hacked before bringing it into their homes.
“These toys typically contain sensors, microphones, cameras, data storage components, and other multimedia capabilities—including speech recognition and GPS options,” the FBI wrote. “These features could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed.”