Mozilla Foundation commissioned an independent cybersecurity firm to audit 10 of this year’s most popular connected toys that are widely representative of the connected toy market. Their hands-on testing revealed significant vulnerabilities, but also plenty of ways you can reduce risks and take control of your and your children's data. Here’s how.

1. Change the default settings

Your kids will (understandably) want to play with a toy as soon as it’s out of the box. But don’t just hand it over with the factory settings. Make it a ritual at home to open up the toy and set it up together. Here’s what to do:

1. If the toy comes with a password, change it to a strong password. You might pick this for the child to be sure it’s unique and complex. Turn on two-factor authentication if available.
2. If the toy asks for identifying information (names, birthdays), enter fake data.
3. If the toy works offline, keep it offline. If you’re taking it online, use secure Wi-Fi networks.
4. Opt out of unnecessary data collection. For instance, opt out of additional personalization.

Prefer local data processing over cloud processing.

Disable or restrict cameras (maybe there’s even a camera cover), microphones, chat features, and location sharing. And make sure these features are fully off (not just in sleep mode) when you’re done playing.

Set up automated security updates.

Our audit found the main risks were related to SD memory cards, cameras, microphones, bluetooth, and GPS or location tracking. So if your toy has these elements, decide for yourself what you want on or off.

2. Skim the privacy and security policies

Privacy policies are dense legal documents, but skimming can give you a hint about risk. Here are the words to search for:

• What data is being collected (biometric info - red flag)
• Where is my data being stored? On the device or off the device (on device only is best)
• Who is this data being shared with? (vague list - red flag)
• How can I opt out of data collection and exercise my privacy rights? (does this look hard to do? No specific contact point? - red flag)

Also look at the policy for software security updates. Confirm that the manufacturer is providing security updates, and see how long they’ll provide them. Many companies won’t provide updates for more than a few years, but kids may want to keep toys much longer. When the company stops patching up flaws, that would be the time to disable any connected features.

3. Research the toy manufacturers

Many smart toy manufacturers are on a budget. These devices need to be small and cheap; consumers aren’t buying the tech equivalent of a smartphone, they want to pay for a toy. This doesn't leave much margin for toy makers. For example, they may be working with more limited hardware and less robust programming languages. Third party security and privacy audits aren't mandatory, so companies will take shortcuts here.

Price can be a good proxy for safety. We recommend you choose a brand that has a strong track record on privacy and security. Here’s a checklist:

1. They should advertise that they have advanced security features such as encryption, privacy controls, and software maintenance.
2. They may also mention that they’ve undergone testing–ideally a third party audit that uses widely recognized industry standards.
3. Avoid counterfeits and no-name or drop-shipping companies. Those will likely have cut even more corners on security and may have further vulnerabilities baked in.

Lastly: If you’re donating or regifting, make sure you’ve cleared the toy’s memory.

Most of the toys we reviewed come with internal memory that allows them to save media like voice clips, images, and video captured through microphones and cameras. Make sure you wipe all stored data if you’re going to pass it on.

The holiday season is a time to relax and feel connected to your loved ones, not just your bluetooth. If you go for a smart toy this year, just remember to outsmart it.

Illustration by Nancy Tran. Photo: Adobe Stock