How You Can Test Your Kids' Smart Toys For Privacy

The market for smart toys is booming, with Bluetooth- and Wi-Fi-enabled devices promising interactive play for a generation of iPad-native children. Yet behind the marketing promises lies a fundamental question: what data are these toys collecting, and where is it going? Recent regulatory actions, like the FTC's $25 million fine against Amazon for Alexa storing children's voice recordings, underscore the real privacy risks. The FBI advises parents to research digital toy privacy but offers no practical methodology. This guide provides a hands-on approach to auditing these devices.

The first step is always to read the toy's privacy policy and any companion app's terms. Scrutinize what information is tracked, how it's used, and with whom it's shared. Look for compliance statements with the Children’s Online Privacy Protection Act (COPPA), which governs data collection for children under 13.

Next, determine the toy's connectivity method, usually listed on the box or manual. A Wi-Fi toy connects directly to your router to send data to the internet. A Bluetooth toy typically pairs with a smartphone app, which may then relay data to the internet via Wi-Fi or cellular. The testing approach differs for each.

Auditing Bluetooth Toys

For Bluetooth toys that require a smartphone app, you can intercept the data traffic between the app and the internet using a man-in-the-middle proxy. We recommend HTTP Toolkit, a free tool with a user-friendly interface available for macOS, Windows, and Linux.

Prerequisites: A computer and the toy's smartphone, connected to the same Wi-Fi network.

Step-by-Step Process:

1. Install HTTP Toolkit: Download the installer for your operating system from the HTTP Toolkit website. On macOS, drag the application to your Applications folder.

2. Find Your Computer's IP Address: On your computer, note its local IP address. On macOS, go to System Settings > Network > Wi-Fi > Details. Write down the IP address listed.

3. Configure the Proxy on Your Smartphone:

   • On your iPhone, go to Settings > Wi-Fi.
   • Tap the (i) icon next to your connected network.
   • Scroll down and select Configure Proxy > Manual.
   • Under Server, enter the IP address from your computer.
   • Under Port, enter 8000 (HTTP Toolkit's default).
   • Leave Authentication off.

4. Prepare Your Smartphone for Clean Traffic:

   • Close all background apps by swiping up from the bottom and swiping away each app.
   • Go to Settings > Battery and enable Low Power Mode to pause background app activity.
   • Go to Settings > Privacy & Security. Turn off Tracking, and scroll down to disable Analytics & Improvements and Apple Advertising.

5. Install the Root Certificate:

   • On your computer, open HTTP Toolkit. It should default to the "Intercept HTTP" page. Select the "Anything" box.
   • In HTTP Toolkit, click "Export CA certificate" and email or AirDrop the certificate file to your iPhone.
   • On your iPhone, open the certificate (using the Mail app or accepting the AirDrop). You'll see a "Profile Downloaded" notification.
   • Go to Settings > General > VPN & Device Management, tap the "HTTP Toolkit CA" profile, and install it.
   • Finally, go to Settings > General > About > Certificate Trust Settings and enable full trust for the HTTP Toolkit certificate.

6. Monitor Traffic:

   • Return to HTTP Toolkit on your computer and switch to the "View" tab. You should see a stream of network requests from your phone.
   • As a test, open Safari on your phone and visit a website like themarkup.org. You should see the corresponding traffic appear in HTTP Toolkit.
   • Now, launch the toy's companion app and use all its features. Observe what data is being sent. For example, if the app asks for a birthday or music service preference, note if that information is transmitted.

Real-World Test: We applied this method to an "Encanto" karaoke machine using the "EZ Link" app. The app requested a birthday and a music streaming service choice. However, after testing all features—playing music, using the microphone, and recording—HTTP Toolkit captured no data being sent. The app's traffic was minimal and secure, a positive finding for the eKids product.

Cleanup: After testing, reverse the changes: quit HTTP Toolkit on your computer, set your phone's proxy back to "Off," turn off Low Power Mode, and remove the "HTTP Toolkit CA" profile from Settings > General > VPN & Device Management.

Auditing Wi-Fi Toys

Wi-Fi toys connect directly to your home network, requiring a different monitoring approach. We use IoT Inspector, a research tool from NYU that monitors IoT device traffic. Important Caveat: This tool may have bugs and could interfere with your network. Only run it on a network you own.

Prerequisites: A computer (macOS or Windows) and the toy connected to your Wi-Fi.

Step-by-Step Process:

1. Install and Run IoT Inspector:

   • For Windows: Download the zip file from the IoT Inspector GitHub repository, extract it, and double-click IoT Inspector.exe.
   • For macOS: Open the Terminal app (Finder > Applications > Utilities). Install command-line tools by typing xcode-select --install and pressing Return. Then, install IoT Inspector by running the provided installation command from its GitHub page.

2. Launch the Tool: Start IoT Inspector via the Terminal command. It will display a network URL. Copy this URL and paste it into your web browser.

3. Agree to Terms: Review and accept the warnings. You can optionally consent to share anonymized network data with NYU researchers for their study (see their Privacy Policy).

4. Identify the Toy: The web interface lists all devices on your network with their local IP and MAC addresses. IoT Inspector attempts to guess manufacturers, but this is imperfect. To find your toy:

   • If the toy isn't yet connected, connect it and look for a new device in the list.
   • If it's already connected, check the toy's settings or companion app for its IP or MAC address.
   • Alternatively, perform actions on the toy (e.g., turn on a camera) and see which device in IoT Inspector shows a spike in traffic.

5. Monitor and Analyze: Once identified, uncheck "Inspect" for all other devices to focus on the toy. Click on the toy's entry to see the domains it contacts. Unlike Bluetooth monitoring, this shows the destination domains but not the exact data payload. Look for correlations: if activating a camera sends large amounts of data to a specific domain, it likely streams video there.

Real-World Test: We tested a Tamagotchi Uni. It only sent data to aws.amazon.com, using Amazon AWS for online connectivity. The toy asked for only a nickname and birthday during setup, but we couldn't confirm the exact data sent to Amazon.

Cleanup and Rerunning: To quit, click "Quit IoT Inspector" or close the Terminal. Use the "Reset IoT Inspector" button in the tool's settings to clear device lists before future runs. To rerun, simply re-execute the launch command in Terminal and proceed from the web interface.

Interpreting Results

Combine your traffic analysis with a thorough reading of the manual and experimentation. A toy's privacy policy might claim minimal data collection, but your network logs can verify this. Conversely, you might find data being sent to unexpected domains, warranting further investigation.

This process empowers parents to move beyond trusting marketing claims and make informed decisions about the devices entering their homes. While some toys, like the Encanto karaoke machine and Tamagotchi Uni, showed relatively benign behavior in our tests, the methodology is critical for evaluating any new smart toy.

Tools & Resources:

• HTTP Toolkit - For Bluetooth traffic interception.
• IoT Inspector GitHub - For Wi-Fi IoT device monitoring.
• The Markup's Klaxon Newsletter - For ongoing tech accountability reporting.