So…Why is This Hackable Doll Still for Sale?

Senator Mark Warner takes the FTC to task for lax oversight of internet connected toys.

Originally Published: 
my friend cayla hackable doll

Wi-Fi teddy bears, dolls, and other smart toys that connect to the internet have come under fire lately for their lack of security protocol. Without much effort, hackers can use the toys to spy on children or steal information. Despite this, several questionable toys are still being sold. This doesn’t sit well with Virginia Senator Mark Warner, who recently took the Federal Trade Commission (FTC) to task for their lack of action on the risks posed by these toys.

In a four-page letter that referenced several recent toy hacks, Warner savaged the agency and asked how they planned to respond to concerned parents and child safety advocacy groups. “Reports of your statements casting these risks as merely speculative — and dismissing consumer harms that don’t pose ‘monetary injury or unwarranted health and safety risks’ — only deepen my concern,” Warner wrote.

There have been several recent high-profile incidents related to connected toys. The most recent of these, called out specifically by Warner, was a complaint by child safety groups on the possible dangers of the “My Friend Cayla” doll. According to the complaint filed with the FTC by the Electronic Privacy Information Center (EPIC), the Bluetooth-enabled doll has the ability to listen and record kids’ chatter but does not require adequate parental permissions to do so. EPIC alleged that the lax standards, including lack of authentication when connecting to smartphones and the internet put the toy at odds with the Children’s Online Privacy Protection Act (COPPA).

While these issues were enough to convince Germany to pull My Friend Cayla from store shelves, the doll is still widely available in the U.S. despite no apparent change in the way it collects or uses children’s data. That’s also the case for CloudPets, which suffered a hack that held more than 800,000 user accounts for ransom. The data held included private voice messages recorded by children for their parents and stored insecurely in the cloud. CloudPets maker Spiral Toys failed to tell users about the exposure and suggested only that they change their passwords after the hack was discovered by security researchers. Despite this, CloudPets are still readily available without any apparent updates.

And that’s exactly why Warner appears to be going after the FTC. After both the CloudPets and My Friend Cayla incidents, the agency has yet to take any action on manufacturers. In his letter, Warner asks the agency what it might take for them to require a “buy-back” of insecure toys, similar to the one the agency forced on Volkswagon in response to deceptive marketing.

Until the FTC does decide to work with Senator Warner and take action, parents should use extreme caution when purchasing toys that can connect to smartphones or the internet. Security specialists encourage users to have a home router protected by a firewall, use robust two-factor authentication in toys where it’s available, create strong unique passwords, or avoid toys altogether that do not have password requirements.

This article was originally published on