What you need to know about IoT “smart toys”


Whats are smart toys?

The Internet of Things has been trying to make its way into toy arena for a while now, not content with connecting cars, fridges, homes and even wind farms, manufactures are now starting to connect everyday toys to the grid.

Smart toys contain bits of circuitry which usually act as a sort of basic artificial intelligence, a database of some sort so that they can reference key words as well as including a means of communicating with other devices, such as mobile devices, whether this is via Wi-Fi, ZigBee or Bluetooth, it can vary.

PenTest Partners have been making the news recently by showing how easy it is to hack a number of smart toys, a video of one such demo can be found here – https://www.youtube.com/watch?v=JMsv4kb9GIA.

This Christmas is more than likely going to be the most connected ever Christmas, so therefore in order for you to try and keep your personal information and integrity in keep as well as understanding what a smart toy is here are a few points that you need to know and think about.

Wireless Network

This is more of a best practice than smart toy related, but ensure you’re that your wireless network is kept secure.  Ensure that your wireless is using WPA2 and not the weaker WEP or WPA.

Ensure that your wireless pre-shared key is a strong password, make sure that its at least 8 characters long, that it is made up of upper and lowercase characters, contains numbers and special characters.  This pre-shared key should not resemble a dictionary password.


Depending upon the toy, it may need configuring.  It is recommended that as soon as you turn on the toy, if it requires configuring, configure it straight away.  This will ensure that vulnerability footprint will be reduced.  If the toy has any default access codes for example, make sure that these are changed to something different.


Privacy is a big concern with everyone, especially when devices connect to external systems on the internet.  Recently Vtech experienced a breach of their servers which allowed malicious people to access content that had been uploaded via toys.

More can be found here – http://arstechnica.com/security/2015/12/man-arrested-in-toymaker-hack-says-he-wanted-to-expose-inadequate-security/

When using smart toys, read the terms and conditions of any additional software or documentation before you start using the toy.  Be care in what you may be exposing and always ensure that you don’t submit credit card information to unknown sources.


One of the main selling points of smart toys is the ability to connect to other devices, such as laptops, mobile phones and other toys.  This type of interaction could be intercepted through the use of Man in the Middle attacks, this type of attack could in theory intercept commands and be changed to perform some other interaction.


The above points are there to make you, the end user think before using. As connected smart toys become more popular and as IoT gains more momentum, time will only tell to see how things move on.

I hope this post gives you food for thought.

Previous Post
TalkTalk cyber-attack – how to stay safe
Next Post
SLOTH, vulnerabilities and staying safe

Related Posts

No results found.

Leave a Reply

Your email address will not be published.

Fill out this field
Fill out this field
Please enter a valid email address.

twenty + seventeen =

This site uses Akismet to reduce spam. Learn how your comment data is processed.