An Investigation into the Privacy and Security Risks of Smart Toys in New Zealand

Abstract

Smart toys are a growing portion of the children’s toy market. They offer a unique and personalised play experience via the use of onboard sensors, internet connectivity, and innovative technology. International research has shown that the smart toy environment can be insecure and vulnerable to cyberattacks and can place children at risk. Smart toy security and privacy must be understood to protect children; however, to date, the literature has not addressed this in the New Zealand context. To address this gap in the literature, this study investigates whether smart toys pose any security or privacy risks to New Zealand users. It asks, what common security and privacy impacting vulnerabilities are found in smart toys currently available for purchase by New Zealanders? Furthermore, what levels of privacy and security concern and awareness do New Zealand parents and guardians have regarding smart toy use? An anonymous online survey targeting New Zealand parents/guardians was designed. A total of 394 respondents answered 32 questions to determine their levels of concern and awareness around the privacy and security of smart toys. A security testing methodology was also used to assess a collection of smart toys to determine if they contained security or privacy vulnerabilities. Analysis of survey responses showed a high average level of concern of New Zealand parents/guardians (M = 8.26, SD = 1.7) around the security and privacy risks of using smart toys. The survey also revealed a low overall level of awareness regarding security and privacy risks when using smart toys, with participants answering an average of 14.5 out of a possible 30 (SD = 5.66) questions accurately. Analysis of the results from the physical security testing of a selection of smart toys showed insufficient authentication weaknesses, including unauthenticated Wi-Fi connections, unauthenticated Bluetooth pairing, and weak or no password use. Insecure data transfer was demonstrated, with some toys using no encryption for communication. Insufficient privacy protection weaknesses including the unreasonable collection of personally identifiable information, a lack of parental control mechanisms, and the use of non-random device identifiers, were also present. Based on these results, it can be concluded that smart toys pose security and privacy risks to New Zealand users, and that greater focus should be placed on educating parents and guardians about the potential risks these products pose and how to mitigate them. Smart toy manufacturers and legislators should additionally consider addressing the high levels of concern seen regarding these issues by focusing on safer smart toy design and strengthening existing privacy legislation for children’s products.