Strangers can talk to your child through ‘connected’ toys, investigation finds

Strangers can talk to your child through ‘connected’ toys, investigation finds

Which? investigation finds security flaws in ‘intelligent’ toys such as CloudPets and Hasbro’s Furby Connect

CloudPets soft toys
Researchers found CloudPets could be hacked via their unsecured Bluetooth connection. Photograph: Cloudpets/Spiral Toys

A consumer group is urging major retailers to withdraw a number of “connected” or “intelligent” toys likely to be popular at Christmas, after finding security failures that it warns could put children’s safety at risk.

Tests carried out by Which? with the German consumer group Stiftung Warentest, and other security research experts, found flaws in Bluetooth and wifi-enabled toys that could enable a stranger to talk to a child.

The investigation found that four out of seven of the tested toys could be used to communicate with the children playing with them. Security failures were discovered in the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy and CloudPets.

With each of these toys, the Bluetooth connection had not been secured, meaning the researcher did not need a password, pin or any other authentication to gain access. Little technical knowhow was needed to hack into the toys to start sharing messages with a child.

When switched on, the Furby Connect – on sale at Argos, Amazon, Smyths and Toys R Us – could be connected with any device within a Bluetooth range of 10 to 30 metres.

With the i-Que Intelligent Robot, available from Argos and Hamleys, the investigation discovered that anyone could download the app, find an i-Que within their Bluetooth range and start using the robot’s voice by typing into a text field. The toy is made by Genesis, which also manufactures the My Friend Cayla doll, recently banned in Germany owing to security and hacking concerns. Both toys are distributed in the UK by Vivid.

CloudPets toys, on sale at Amazon, are stuffed animals that enable friends to send a child messages that are played on a built-in speaker. But Which? found the toy could be hacked via its unsecured Bluetooth connection.

Also available from Amazon, the Toy-Fi Teddy allows a child to send and receive recorded messages over Bluetooth via a smartphone or tablet app. Which? found the Bluetooth connection lacked any authentication protections, meaning hackers could send voice messages to a child and receive answers.

“Connected toys are becoming increasingly popular, but as our investigation shows, anyone considering buying one should apply a level of caution,” said Alex Neill, the managing director of home products and services at Which?. “Safety and security should be the absolute priority with any toy. If that can’t be guaranteed, then the products should not be sold.”….more here

Leave a Reply