For last-minute shoppers, tech toys hold a special appeal. They’re crowdpleasers, and generally available with two-day shipping—or faster—from any number of online retailers. Stapling on internet connectivity also might make these flashy kids gadgets sound all the more appealing; it’s not just a teddy bear, it’s a machine learning teddy bear. On the other hand: don't.

This is not a screed against technology generally, or even tech as it relates to kids; there are plenty of responsible, safe ways for children to navigate and benefit from the internet. Instead, it’s an important reminder that toys with an online connection are at their core just another IoT device, often replete with the same ills and vulnerabilities. Plus, they have the added horror of occasionally pointing a microphone or camera at your child.

“Generally, people may not make that leap" that an internet toy is just another part of the IoT landscape, says Tod Beardsley, research director at security firm Rapid7. But hackers who target poorly secured internet-connected devices don’t distinguish between, say, a generic webcam and a Wi-Fi action figure. “A lot of the infrastructure looks like regular old Linux or Android. An attacker doesn’t care; inside it’s just a computer,” Beardsley says.

Hacker Heaven

That makes internet-connected toys prime candidates to join a so-called botnet, an army of zombie machines used by hackers to launch denial-of service-attacks against websites, servers, or other pieces of internet infrastructure. Remember that afternoon last fall when the internet shut down for the better part of an afternoon across the US? A botnet made that possible.

To which you might say, OK, sure, but that doesn’t sound so bad, at least in terms of how it affects my joke-telling conversational robot for tweens. Which, fair! But there’s a reason the FBI this year issued a warning about internet-connected toys, and it’s not just the threat of getting caught up in botnets.

“These toys typically contain sensors, microphones, cameras, data storage components, and other multimedia capabilities—including speech recognition and GPS options,” the agency wrote. “These features could put the privacy and safety of children at risk.”

That's not just hypothetical alarmism. When Mattel rolled out its talking, Wi-Fi enabled Hello Barbie doll in 2015, the product proved easily hackable; an attacker could have stolen anything from passwords to actual snippets of conversation before the toy giant rolled out fixes. More recently, the Norwegian Consumer Council found that it was trivial to track kid-focused smartwatches from multiple companies, and even use them to communicate with children who wear them.

'Maybe Santa gets to know who’s been naughty and who’s been nice. But not toy companies.' Marc Rotenberg, EPIC

The list goes on, including real-world consequences. In March, a line of IoT teddy bears called CloudPets left two million messages recorded by the fluffy buddies exposed in an online database, where anyone could have listened to them—not to mention sifted through 800,000 emails and passwords that were exposed as well. The list goes on, but you get the point.

Not every internet-connected toy is insecure, just like not every home webcam falls prey to hackers. But the IoT industry in general has a long way to go in terms of overall security, and toys as a subcategory are no exception. Besides, hackers aren’t even your biggest concern—more often than not, the companies themselves are.

Privacy First

Last year, several advocacy groups jointly filed a complaint with the Federal Trade Commission against two specific products made by Genesis Toys, My Friend Cayla and i-Que Intelligence Robot, alleging that they “unfairly and deceptively collect, use, and share audio files of children's voices without providing adequate notice or obtaining verified parental consent.” The toys have already been banned in Germany, and stripped from the shelves of Target and Toys R Us. (You can still find them on Amazon, albeit in limited quantity as of this post.) Genesis Toys did not respond to a request for comment.