Baby Monitors and Smart Toys: The Devices Watching Your Children

The Nursery Under Surveillance

In October 2025, a Colorado mother heard a stranger's voice coming through her baby monitor. She ran in and unplugged it immediately. [1]

She's not alone. Parents across the country have reported hackers speaking to their infants, playing music at 3 AM, or silently watching through nursery cameras. [2]

The US baby monitor market is expected to hit $740 million by 2033. [3] Many devices have critical security flaws. Smart toys routinely violate children's privacy laws. And the footage from hacked baby cameras has ended up on underground websites.

The device meant to protect your child might be exposing them instead.

When Strangers Speak to Sleeping Babies

The Stripling family in Arkansas thought their password was strong enough. Then a stranger hacked into their home and spoke to their baby through the monitor. [2]

"I want to burn it," said Stephanie Stripling. They've since switched to an offline monitor and won't use WiFi monitors "whatsoever."

How Hackers Get In

Baby monitor hacks typically happen through: [4]

  • Default passwords: Many parents never change factory settings
  • Weak WiFi security: Hackers break into the network, then access connected devices
  • Device vulnerabilities: Unpatched software with known security holes
  • Internet sweeping: Automated tools scan for unsecured cameras with default credentials

Families don't have to be targeted specifically. Hackers sweep the internet looking for any camera still using factory settings. [5]

What Hackers Can Do

  • Watch silently: View your baby, your home, your daily routines
  • Speak through the speaker: Talk to your child without your knowledge
  • Record footage: Capture video that may end up on illicit websites
  • Control the camera: Pan and zoom to see more of your home
  • Access your network: Use the monitor as an entry point to other devices

Research Reveals "Child's Play" Vulnerabilities

In 2024, security researchers from Bitdefender revealed that hacking IoT baby monitors is "child's play." [6]

What They Found

  • Critical security flaws in popular smart baby monitors
  • Weak authentication that can be bypassed
  • Unencrypted communications allowing interception
  • Third-party connections to servers parents don't know about

One research team discovered that some monitors regularly contacted a server in Beijing that didn't belong to the manufacturer. [7] These third-party relationships are common in IoT devices but rarely disclosed.

Euroconsumers Testing

Belgian and Portuguese consumer groups tested digital baby monitors and found: [8]

  • Serious security flaws across multiple products
  • Lack of basic protections in wearables and tablets aimed at kids
  • Children's information and location wide open to hackers

The $740 Million Nursery Surveillance Market

Baby monitors have evolved from simple audio devices to sophisticated surveillance systems:

Market Size

  • $370 million in 2024 [3]
  • $740 million projected by 2033
  • 8.11% CAGR growth rate

Features Collected

  • HD video (often 1080p+)
  • Two-way audio
  • Night vision
  • Temperature/humidity
  • Motion and sound alerts
  • Cloud storage of recordings

Privacy Concerns

  • WiFi monitors most vulnerable
  • Cloud storage = third-party access
  • App permissions often excessive
  • Data sold to train AI algorithms

Where Your Baby's Data Goes

Baby monitors are now technically similar to home surveillance products, and often made by security companies. [7] This creates concerning possibilities:

  • Training data for AI: Video from baby monitors could feed algorithms for other surveillance devices
  • Third-party sharing: Many apps share data with analytics and advertising companies
  • Cloud storage risks: Your baby's video stored on servers you don't control
  • Cross-device tracking: App permissions may access other data on your phone

Smart Toys and COPPA Violations

It's not just monitors. Connected toys, tablets, and wearables aimed at children routinely violate privacy laws.

FTC vs. Apitor (September 2025)

The FTC took action against robot toy maker Apitor for allowing "a Chinese third party to collect sensitive data from children using its product, in violation of COPPA." [9]

What happened:

  • Third party collected geolocation data from children
  • Parents were not notified about the data collection
  • No parental consent was obtained
  • Children under 13 had their data collected illegally

Apitor faced a $500,000 penalty (suspended because they couldn't pay) and must delete the illegally collected data. [9]

The Updated COPPA Rule (January 2025)

The FTC strengthened children's privacy protections in January 2025: [10]

  • Separate parental consent required for sharing children's data with third parties for targeted advertising
  • Cannot retain data indefinitely, only as long as "reasonably necessary"
  • Parents must opt in to targeted advertising (not opt out)
  • Prohibition on monetizing children's data without active permission

The Enforcement Problem

Despite the rules, violations continue. Alan Butler of the Electronic Privacy Information Center (EPIC) noted: [11]

"For any new device coming onto the market, if it's not complying with COPPA, then it's breaking the law... there's a lot of toys on the market [using AI] and there's a need to ensure that they're all complying."

The problem: there's no pre-clearance review of toys before they're sold. [11] Companies can sell privacy-violating toys until someone catches them.

The Amazon Alexa Problem

In 2023, the FTC found that Amazon had: [12]

  • Ignored parents' requests to delete children's voice data
  • Kept children's voice recordings and location data for years
  • Violated COPPA (Children's Online Privacy Protection Act)

Amazon paid $25 million to settle. Many families use Alexa-enabled devices as baby monitors or in children's rooms, meaning kids' voices have been collected and retained for years without proper consent.

Types of Baby Monitors: Security Comparison

Safer Options

Audio-Only Monitors (Non-WiFi)

  • No internet connection = no remote hacking
  • Limited range reduces interception risk
  • No video means less sensitive data
  • Cannot be accessed from outside your home

FHSS (Frequency-Hopping) Monitors

  • Rapidly switches frequencies, making interception difficult
  • Often considered safest from hackers [4]
  • Still local-only (no cloud)
  • More expensive but more secure

Higher Risk Options

WiFi/IP Cameras

  • Connected to your home network and internet
  • Can be accessed remotely (by you, and potentially hackers)
  • Often use cloud storage
  • Most hack incidents involve these devices

Smart Monitors with Apps

  • App may have excessive permissions
  • Data transmitted to manufacturer servers
  • Third-party integrations increase attack surface
  • AI features may use your baby's data for training

How to Protect Your Family

If You Use a WiFi Baby Monitor

Immediate Steps

  1. Change the default password, use a strong, unique password
  2. Update firmware, check for security patches regularly
  3. Enable two-factor authentication if available
  4. Disable remote access if you don't need to view the monitor outside your home
  5. Check for unknown logins in the app's access history

Network Security

  1. Secure your WiFi with WPA3 or WPA2 and a strong password
  2. Create a separate network for IoT devices (guest network or VLAN)
  3. Disable UPnP on your router
  4. Keep router firmware updated

Ongoing Practices

  • Turn off the camera when not needed
  • Point it away from sensitive areas when possible
  • Review app permissions and revoke unnecessary access
  • Monitor for unusual behavior (camera moving on its own, LED lights when not in use)

Signs Your Baby Monitor May Be Hacked

  • Camera moves or pans without your input
  • Strange voices or sounds from the speaker
  • LED indicator on when you're not using the app
  • Settings changed that you didn't modify
  • Unfamiliar devices in the app's access list
  • Higher than normal data usage on your network

Safer Alternatives

  • Non-WiFi monitors: Cannot be hacked remotely
  • Local-only cameras: Store footage on SD card, no cloud
  • Audio-only monitors: Less data to compromise
  • Direct connection: Monitors that connect directly to a parent unit, not through your network

Smart Toys: What Parents Should Know

Before You Buy

  • Research the manufacturer: Have they been fined for privacy violations?
  • Check for an internet connection: Does the toy need WiFi to work?
  • Read the privacy policy: What data is collected and where does it go?
  • Look for encryption: Is data transmission secured?
  • Consider "dumb" alternatives: Does the toy really need to be "smart"?

Connected Toy Red Flags

  • Requires account creation with child's information
  • Has microphone or camera capabilities
  • Connects to servers in countries with weak privacy laws
  • App requests excessive permissions
  • No clear way to delete data

If Your Child Already Has Smart Toys

  1. Review what data has been collected in the app or account settings
  2. Disable features you don't need (especially microphones/cameras)
  3. Update firmware for security patches
  4. Consider disconnecting from WiFi if the toy works offline
  5. Delete data periodically if the option exists

What Needs to Change

A Cyber Resilience Act is in development in Europe that will require consumer IoT devices to be "cybersecure by design and by default." [13] But it won't require third-party security assessments, manufacturers will verify their own products.

What parents need:

  • Pre-market security review: Test devices before they're sold, not after breaches
  • Mandatory encryption: All baby monitors should encrypt video transmission
  • No default passwords: Require unique passwords at setup
  • Clear data practices: Obvious disclosure of what's collected and where it goes
  • Automatic updates: Security patches installed without parent intervention
  • COPPA enforcement: Actually fine companies that violate children's privacy

The Bottom Line

Baby monitors are being hacked. Smart toys violate children's privacy laws. And the footage from your nursery could end up anywhere.

The US baby monitor market will hit $740 million by 2033. Security researchers call hacking these devices "child's play." Parents have heard strangers speaking to their infants, and companies like Amazon have illegally retained children's voice data for years.

The FTC updated COPPA rules in 2025, but enforcement is reactive, toys can violate the law until someone catches them. There's no pre-clearance review.

To protect your family:

  1. Consider non-WiFi monitors if remote access isn't essential
  2. If using WiFi monitors: Change default passwords, update firmware, enable 2FA
  3. Secure your home network and isolate IoT devices
  4. Be skeptical of smart toys that require internet connections
  5. Disable microphones and cameras on toys when not needed
  6. Monitor for signs of compromise (camera movement, strange sounds)

The device watching over your baby should be working for you, not for hackers, advertisers, or anyone else. Until manufacturers prioritize security over features, parents have to fill that gap themselves.

References

  1. CBS Colorado - Colorado mom says she heard a stranger talking through her baby monitor (October 2025)
  2. THV11 - Searcy family says stranger spoke to baby through hacked monitor
  3. GlobeNewswire - United States Baby Monitor Forecast Report 2025: A $740 Million Market by 2033
  4. Baby Gear Essentials - Can a Baby Monitor Be Hacked? How To Protect Your Privacy
  5. NPR - S.C. Mom Says Baby Monitor Was Hacked; Experts Say Many Devices Are Vulnerable
  6. Bitdefender - Hacking these IoT baby monitors is child's play, researchers reveal
  7. TechPolicy.Press - How Secure Is a Smart Baby Monitor? Finding Out Is Far Too Difficult
  8. Euroconsumers - Baby beware: critical security flaws found in smart baby monitors
  9. FTC - FTC Takes Action Against Robot Toy Maker for Allowing Collection of Children's Data (September 2025)
  10. FTC - FTC Finalizes Changes to Children's Privacy Rule (January 2025)
  11. The Regulatory Review - Can Privacy Regulations Outsmart Smart Toys?
  12. Malwarebytes - Amazon's COPPA violations and children's data retention
  13. SEC Consult - Internet Of Babies - When Baby Monitors Fail To Be Smart