The Information Commissioner’s Office (ICO) has issued a warning to parents over the dangers of internet-connected children’s toys.

In the lead-up to Christmas, many will be considering buying children’s presents that are connected to the internet, and as such leave themselves vulnerable to cyberattacks.

As with many consumer IoT products, there are considerable security implications, given that the majority of smart home devices come without encryption or security protection.

Now, the ICO has warned that children may be at particular risk due to the proliferation of connected toys. The Office said that it ‘supports innovation and creative uses of personal data, but this cannot be at the expense of people’s privacy and legal rights.’

Making a comparison between advances in the physical safety of kids’ toys in recent years, the ICO argues that those buying toys should make cybersecurity a primary concern.

When considering a purchase, there are multiple considerations, according to the organisation. As well as a child’s online safety, consumers should also think about the ‘potential threat to their own personal data such as bank details, if a toy, device or a supporting app is hacked into.’


IoT: IoT key to future of UK industry, says government-backed report

Related: IoT devices reveal private information despite encryption, study warns


The Office has issued guidance on toys, noting that a major selling point of many child-related internet-connected devices is the ability to view footage remotely through a fitted camera. The ICO advises that the risk of this feature being exploited means users should turn the function off if they have no intention of using it, or employ strong passwords.

Similarly, smart watches for kids allow parents to know where they are, at all times. Useful though this may be for parents, the guidance notes that if it isn’t done securely, it can effectively be an open door for others to gain access to that data as well. It also warns against the dangers of unencrypted Bluetooth.

As well as these IoT specific warnings, the ICO has offered basic security tips, suggesting buyers thoroughly research products beforehand, only buy from secure sites, and create strong passwords.

Princeton researcher Noah Apthorpe, who authored a study on the risks of IoT devices, commented: ‘My research suggests that even if recommendations are met, determined adversaries may still be able to infer some private information about users of IoT devices.’

Following guidelines, however, ‘would significantly increase the difficulty of performing such attacks and completely protect some entire classes of vulnerabilities,’ he added.

The ICO’s guidance comes shortly after both consumer advice organisation Which? and software firm Mozilla issued similar advice.