A recently published study by consumer watchdog Which? has found that connected toys pose a string of complex security risks.
Just in time for the start of the Christmas shopping season, Which? is calling on retailers to stop selling a number of connected toys.
The consumer watchdog organised testing of a range of WiFi and Bluetooth-connected toys on sale at many major retailers, including Argos, Hamleys, Toys R Us and Amazon. These included: Furby, I-Que Intelligent Robot, Toy-fi Teddy, CloudPets, Wowee Chip, Fisher-Price Smart Toy Bear and Mattel Hello Barbie.
Read more: IoT teddy bears leak more than 2 million recordings between parents and kids
Riddled with flaws
In all cases, toys’ Bluetooth connections had not been secured, says Which?, “meaning during the tests, our hacker didn’t need a password, PIN code or any other authentication to get access.”
More worrying, in four out of seven of the devices put through their paces, the researchers found that vulnerabilities would allow a stranger to communicate with a child, via that toy. These problems were found in:
- Furby Connect: “Anyone within a 10-30 metre Bluetooth range can connect to the toy when it’s switched on, with no physical interaction required,” says Which? “This is because it does not use any security features when pairing. Plus, you can make the connection via a laptop, opening up more opportunities to control the toy. Our security experts were able to upload and play a custom audio file on the Furby.”
- I-Que Intelligent Robot: This uses Bluetooth to pair with a phone or tablet through an app but the connection is unsecured. The Which? investigation found that, “anyone can download the app, find an I-Que within Bluetooth range and start chatting using the robot’s voice by typing into a text field.” The toy is made by Genesis Toys, Which? notes, which also manufactures a doll, Cayla, that was recently banned in Germany due to security and hacking concerns.
- CloudPets: This cuddly toy purports to enable friends to send messages to a child, but Which? found that it was possible for a hacker to exploit its unsecured Bluetooth connection and make it play their own messages.
- Toy-fi Teddy: This toy allows a child to send and receive personal recorded messages over Bluetooth via a smartphone or tablet app. Again, Which? found the Bluetooth lacks any authentication protections, meaning hackers could send their voice messages to a child and receive answers back.
Read more: IoT device makers: Tackle security or face legal action
Warning to parents and retailers
Alex Neill, managing director of home products and services at Which?, explained that his organisation has written to retailers to warn them of the risks.
“Connected toys are becoming increasingly popular, but as our investigation shows, anyone considering buying one should apply a level of caution,” he said.
“Safety and security should be the absolute priority with any toy. If that can’t be guaranteed, then the products should not be sold.”
All of the manufacturers involved were given a right of reply. A the time of writing, only Furby maker Hasbro and i-Que Robot distributor had answered and their responses can been seen here. Spiral Toys, the maker of CloudPets and Toy-fi Teddy declined to comment, according to Which?
Spiral Toys has been accused of lax security before – as recently as February 2017, in fact, when Internet-connected teddies made by the firm were found to have leaked the email addresses and password details of more than 800,000 customers online.
And in July this year, the US Federal Bureau of Investigation (FBI) issued a public guidance notice, urging parents to report weak security in children’s toys connected to the internet.
Read more: More than two-thirds of consumers are concerned about IoT device security