The FBI has warned parents that internet-connected toys could pose privacy and "contact concerns" for children.
The FBI on Monday released a public service announcement (PSA) warning that smart toy sensors such as microphones, cameras, and GPS raise a concern for the "privacy and physical safety" of children.
"These features could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed," it warns.
It highlights that toys can collect the child's name, school, preferences, and activities when conversing with the toy or talking near it.
"The collection of a child's personal information combined with a toy's ability to connect to the internet or other devices raises concerns for privacy and physical safety," it says.
The FBI also warned of the risk of "child identity fraud" and "exploitation risks" in the event that account information and usage data, such as recorded voice messages and location, are leaked by companies that collect the data.
"Additionally, the potential misuse of sensitive data such as GPS location information, visual identifiers from pictures or videos, and known interests to garner trust from a child could present exploitation risks," it said.
The PSA follows several recent examples where poorly secured internet-connected toys have exposed children and parents to privacy risks.
Researchers discovered in February that Spiral Toys, the US maker of CloudPets connected toys, had leaked two million recorded messages of parents and their children via an unsecured online database.
Germany's Federal Network Agency also earlier this year banned the sale of the smart doll My Friend Cayla, ruling it a spying device due to its use of a microphone used to capture the user's speech and process it. The toy was criticized for lacking authentication controls for pairing over Bluetooth, potentially allowing anyone nearby with the Cayla app to connect to the doll and listen to a child.
The FBI's advisory echoed a warning that security experts have highlighted for several years over IoT security in general: "security safeguards for these toys can be overlooked in the rush to market them and to make them easy to use."
Before purchasing a connected toy, parents should examine the firm's user agreement disclosures and privacy practices, and understand where data is sent and stored.
The Federal Trade Commission in June updated its guidance on the Children's Online Privacy Protection Act (COPPA), which applies to firms that collect personal information from children under 13. The FTC now says its enforcement of COPPA covers internet-connected toys along with already covered websites and apps.
Read more on Internet of Things security
- Internet of Things security: What happens when every device is smart and you don't even know it?
- Ten best practices for securing the Internet of Things in your organization
- The Internet of Weaponized Things: Time to tackle device security before it's too late
- Five nightmarish attacks that show the risks of IoT security
- 9 best practices to improve security in industrial IoT (TechRepublic)
- Smart gadgets need security. Startups, that's your cue (CNET)