Sen. Nelson Flags Cybersecurity, Privacy Problems in ‘Smart’ Toys

With just 11 days until Christmas, a report from the office of Sen. Bill Nelson is raising questions about personal information collected by companies making “smart toys” that are connected to the internet.

Internet-connected toys collect personal data about children and their parents and, in some cases, are capable of being hacked by criminals who can use a child’s Social Security number to apply for government benefits, open bank and credit card accounts or apply for a loan, according to the report published on Wednesday.

The Florida Democrat, who’s the ranking member on the Senate Commerce Committee, has a history of going after companies that he believes may be compromising consumer’s safety. In June, his staff issued a report skewering the Japanese company Takata and several automakers for the pace of recalling cars with defective airbags.

In the case of smart toys, a child’s name, home address, online contact information and physical location could be used to contact or even abduct a child, the report said.

Nelson called on the Federal Trade Commission to “carefully monitor” smart toys to ensure consumer information is kept safe. “It’s frightening to think that our children’s toys can be used against them in this way,” he said Wednesday in a statement, adding that companies manufacturing smart toys should do more to protect sensitive data.

At issue is whether the toy companies adequately protect information such as geolocation data, internet history, photos and messages from criminals and hackers.

Today’s report said Nelson launched the investigation into smart toy data security practices after a November 2015 article by Vice News revealed a data breach exposed the personal information of almost 5 million parents and more than 200,000 kids who bought or played with products sold by VTech, a Hong Kong-based smart toy manufacturer.

Nelson’s staff report cites the VTech hack as a sign that smart toy companies might not sufficiently guard personal data as well as vulnerabilities found in two other devices — a smart bear and a GPS watch.

For example, data collected by the Fisher-Price “Smart Toy Bear” — an internet-connected stuffed animal that talks, listens and remembers what a child says — could be compromised, according to the report, which noted that the toy collects the first names, birthdates and genders of children. Rapid7, a cybersecurity firm, found a security vulnerability in the bear that could allow a hacker to view the complete profile of a child as well as details about the parent who registered the toy, the report said.

Nelson’s investigation also unveiled a security vulnerability in GPS watches sold by hereO that parents use to track their kids’ locations. The security gap could allow a hacker to get authorization to view the real-time location of all family members on the account and view the history of where the child has been, the report said.

Mattel Inc., the parent company of Fisher-Price, and hereO didn’t respond to requests for comment.