Gift ideas? Perhaps check Mozilla's gadget security, creepiness ratings before you buy

Mozilla's buyers' guide rates the security and privacy of 70 connected things, ranging from toys to smart speakers.
Written by Liam Tung, Contributing Writer on

Before buying connected toys and gadgets for the holiday season this year, it could be worth first checking Mozilla's 2018 edition 'Privacy Not Included' buyers' guide.

The guide offers an assessment of the privacy and security qualities of 70 different products, ranging from connected teddy bears, to smart speakers, games consoles, and smart home gadgets.

Products can be rated by the public on a spectrum from 'a little creepy' to 'very creepy'. Mozilla's researchers have also assessed whether each product uses encryption, how easy the privacy policy is to read, how security updates are handled, and whether the maker addresses security vulnerabilities.

Mozilla also adds a 'Meets Our Minimum Security Standards' stamp to a page if the product has met its minimum security standards for IoT products. And the listings briefly explain what could happen if something went wrong.

Among the 18 products listed in the Toys & Games page, just five products meet the minimum standards. They are Microsoft's Xbox One, the Nintendo Switch, Sony PS4, the Harry Potter Kano Coding Kit, and the Amazon Fire Kids Edition.

One product Mozilla is warning consumers to stay away from is the Fredi Baby Monitor because it doesn't use encryption, has a default password of '123', it's been hacked before, and it lacks a privacy policy.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

Just six of the 18 wearables in the guide pass Mozilla's minimum standards. Apple AirPods don't get a stamp of approval, but the Apple Watch Series 4 does.

Among smart home products, most smart speakers get a stamp of approval, including the Amazon Echo and Dot, Google Home, Apple HomePod, Sonos One, and the Mycroft Mark 1.

Oddly, not a single Nest product earns a badge of approval from Mozilla, despite being part of Google's bug bounty program, using encryption, offering automatic security updates, and not sharing information with third-parties.

Nest's apparent shortcoming is that its products don't rely on password-based authentication.


The guide assesses the privacy and security qualities of 70 products, which can be rated by the public for creepiness.

Image: Mozilla

Previous and related coverage

FBI to parents: Beware, your kid's smart toy could be a security risk

The FBI outlines the risks of giving your children a smart toy.

Researchers find security flaws in popular smart cameras

Researchers have discovered that cyber-attackers can remotely gain control of an IoT camera, allowing them to spy on users and more.

Smart home gadgets are open to attack: So time for IoT security laws? No, says Europe

EU's new Cybersecurity Act won't mandate certifications for IoT products, and consumer advocates are unhappy.

IoT security and Linux: Why IncludeOS thinks it has the edge

By giving the Internet of Things a more suitable operating system, Norwegian software outfit IncludeOS aims to secure the billions of IoT devices coming online.

Stuffed toys database left personal data exposed, says security expert

Internet of Things database containing personal information was indexed by Shodan search engine.

4 best practices to combat new IoT security threats at the firmware level TechRepublic

Firmware may be the next frontier for IoT hacks. See below how the healthcare industry addresses these threats.

Amazon will stop selling connected toy filled with security issues CNET

Cybersecurity isn't child's play.

Editorial standards