Consumer Alert on Smart Toys This Holiday Season

Experts warn some toys that connect to the web could be vulnerable to hackers.

ByABC News
December 16, 2016, 5:25 PM

— -- With Santa due to arrive in a little more than a week and so-called smart toys likely on more than a few kids' Christmas lists, experts are warning consumers about hackers potentially targeting gadgets geared to children that also connect to the internet.

A new Senate report released recently said that some toys that connect to the internet and often record videos and conversations can be susceptible to hacks and could compromise personal pictures and conversations as well as sensitive information like security questions, birth dates and even credit card numbers.

"It's a computer that happens to be shaped like a kids' toy," said Tod Beardsley, the senior security research manager at Rapid7, a cybersecurity firm.

"These toys end up in a lot of places ... They can go to the kid's school. They can go to your office when it's Take Your Kid to Work Day," Beardsley said. "These devices can connect to an enterprise network and that can create more risk exposure."

In January, Rapid7 found flaws in the Fisher-Price Smart Toy Bear, a "Wi-Fi-connected stuffed animal" that collects a wide range of information including emails and passwords; names and birthdates; as well as images and audio, according to the Senate report.

The firm found a "security vulnerability" with the bear, the report states.

"This vulnerability could have allowed an attacker to access the Smart Toy server and view children's profiles," the firm said.

Mattel, the parent company of Fisher-Price, said the problem was fixed within a week.

"In the case of the Fisher-Price Smart Toy Bear, we worked closely with our technology partner, Smart Toy, to ensure that their technology complies with applicable privacy and security laws, and we required the company to undergo third-party data security assessments," Mattel said in a statement to ABC News.

In December 2015, Hong Kong-based VTech, which makes high-tech educational toys for children, said that it had suffered a security breach to its database, potentially putting millions of consumers at risk.

Its customer database includes "general user profile information," according to the company, such as a customer's name, email address, password, their secret question and answer for retrieving a lost password, IP address, mailing address and download history.

VTech told ABC News that it had since made changes to "enhance the security of customer data."

Experts suggest consumers protect themselves by reading the device's privacy policy to learn about what personal information the smart toy will collect and also be sure to change the default passwords the toy comes with.

"Parents need to be aware that when they're introducing new computers — that are shaped liked toys — into their home networks, they are actually computers and they can be accessed remotely," Beardsley said.

ABC News' Angelique Yack contributed to this story.