'Toys can be directed to take pictures, video, audio, and you will have no idea it is happening'- Irish cyber security expert warns parents
With internet-driven drones and remote control gadgets top of Christmas wish lists, our reporter asks if the toys we are putting in our homes are in danger of being hacked
They are Wi-Fi-connected, go-anywhere spies, able to stream live video and audio from your home direct to the internet. And they will be some of the most popular toys under the tree this Christmas.
Gadgets like the Rover 2.0 App-Controlled Wireless Spy Tank represent the latest generation of "spy toys", remote control cars, bugs and drones designed to put James Bond technology in the hands of our children.
These vehicles and drones can roll or fly around your home virtually unnoticed, streaming live video and audio to social media sites. Some have night-vision or stealth capability. And even if they are sitting on a shelf, "switched off", they can be remotely hacked, turned on and set to spy on your family by any bad actor with basic skills and technology.
It's not just these hugely popular spy drones that parents should worry about. Cyber security experts warn that any "Next Gen" toy with connectivity to the internet - kid's tablets, cameras, dolls, teddy bears, robots and dinosaurs - can be hacked into and used to harvest data on your children and your personal life.
From the moment a toy is connected, it is collecting data. Some interactive toys have cameras which can be accessed remotely and made to take pictures or video. Others ask your kids to register with a central server, providing details such as age, gender, interests and date of birth. This information is regularly shared with third parties by the toy manufacturers and has been shown to be vulnerable to hacking.
Dublin-based cyber security consultant Ciaran Maguire warns that many parents have no real idea what the "toy" they have just brought into their home is capable of.
"If it is connected, it can be hacked. If it collects data, this can be accessed. The spy car that sits on your shelf, turned off, for days, can be switched on and directed to take pictures, video, audio, and you will have no idea it is happening," he says.
"If you have a connected toy, anybody could be sitting in a car up to a mile away from your home, using a pretty basic Wi-Fi booster to target your home router and take control of the device.
"Many interactive toys will ask for information such as the age and gender of the child and their date of birth. They will collect family photos, messages between kids and their parents, all sorts of very sensitive information. But you have no idea where or how this is being stored, what the security measures are, who is allowed to access the data and how easy it is to hack.
"These are still novelty toys. The laws on storing and protecting data vary greatly from country to country and some companies have been shown to be not very serious, to say the least, when it comes to cyber security," adds Ciaran.
"I would be concerned that nine out of 10 parents really have no idea what these toys are capable of and the risks they pose."
Ciaran points out that tech-obsessed kids are often way ahead of their parents when it comes to using connected toys and playing with the cheap and user-friendly drone technology that was, up until recently, strictly for military or intelligence use.
With three boys aged between five and 12, Yvonne Whelan is not too worried about requests to Santa for Hello Barbie dolls this Christmas.
However, her boys are gadget-mad. And Yvonne, who lives in Naas, Co Kildare, says she and her husband are in a sort of hi-tech arms race to make sure they are protected.
"We are very aware of just how connected their toys and gadgets are and it's a big concern for us," says Yvonne.
"We are always trying to stay one step ahead, when it comes to phones, their toys, technology in general. It's obviously a far different world to the one we grew up in and there are a lot of dangers out there".
Yvonne has given two of their old iPhones to their two eldest, Jack and Tom, to use for themselves.
"We did think it over very carefully, but we found an app which allows us to lock the phones out from the internet except for one hour a day. That's the time they can connect, but we keep a very close eye on what they are looking at and how they interact".
The idea of a toy like a Wi-Fi-connected spy drone - a remote-control vehicle equipped with a camera, microphone and night-vision - strikes Yvonne as "scary".
"I can't believe any parent would want something like that, which could be hacked into pretty easily and is basically a spy-cam in your home," she says.
"The boys love their Xbox, but we've disabled the connect option so they can't play online. We know it's going to be an issue when they get older and they want to play with friends in Cork or wherever, we'll deal with that when we get there. But for now, they are too young and the risk is too great".
There has already been one major security breach involving the most popular tech toy range on the market, the VTech brand.
In 2015, more than 6.3 million children's accounts were affected by a security breach, which gave the perpetrator access to data such as photos, chat logs and personal information collected and stored via VTech devices. The company promised a full review of its security. But earlier this year VTech updated its terms and conditions to say that parents must take responsibility for future breaches.
The EU has promised comprehensive legislation on mass data hacks and breaches, to be made law in 2018, which will impose severe financial penalties on companies which fail to protect customer data.
In the meantime, these "Next Gen", fully connected toys continue to find their way into millions of homes.
Kids love them and many offer strong educational benefits which have been recognised and lauded by experts in paediatric development. The American Academy of Paediatrics - which sets the gold standard in the US - has recently reversed years of thinking on "Screentime" for kids under the age of fivem and recommend that parents use these connected devices for their developmental value.
But the advice is for parents to strictly supervise time and access and to educate themselves on the risks as well as the benefits. And when it comes to cyber security, these basic guidelines become even more urgent.
Top Wi-Fi toys making Santa's list
Furby Connect, From €74.99
The popular fluffy animals from the 90s are going hi-tech with an app that connects them to iPhones, tablets and other devices. They update and interact with kids via the app.
Rover 2.0 App-Controlled Wireless Spy Tank, €55
A remote-control vehicle with a camera, microphone and even a night-vision/stealth mode - able to go anywhere in the house, connect to your smartphone or tablet and stream video from right inside your home live to YouTube, Facebook or other social media sites.
VTech InnoTab Max Blue, €110
One of the latest of the very popular kid's tablets, aimed at ages 3-9, with full connectivity via Wi-Fi (there are locking and safety features which parents will have to familiarise themselves with).
LeapFrog Leap TV, €43.99
A very popular educational video gaming system that's part of the Leap range. Connects via Wi-Fi, has a camera and works with various apps and a dedicated library of games and activities.
Hello Barbie, from €45
Hello Barbie doll uses Wi-Fi and speech recognition technology to engage in two-way dialogue - the child's voice is recorded, sent to a central server in the US and analysed to allow the doll to make the appropriate response.
Vivitar DRC-333 Remote-Control Drone, €110
This drone is very high-powered, with a sophisticated camera that allows kids to fly virtually anywhere and watch video in record or real-time mode. It's Wi-Fi-connected and has a bracket which allows you to "fly" your smartphone over the target area.
A parent's check list on cyber security
On the manufacturer
• What information of yours are they collecting?
• Why are they collecting it?
• Which third parties are they sharing it with and why?
On the device
• Does it have removable batteries? This is important when it comes to totally shutting down a toy and preventing it being remotely activated.
• Do you understand all the features? Do you know how to disconnect it from your home Wi-Fi and activate locking features?
• Will you proactively update the device to ensure the latest security patches are installed?
• Is it compliant with EU data protection and security regulations?
• Do you carefully monitor how your child is using the toy, how they are connecting to social media and what data and media they are uploading?
- Ciaran Maguire