Hack­ing risk

Strangers us­ing smart toys to talk to chil­dren

Irish Examiner - - Front Page - Josie Clarke

A num­ber of con­nected or “smart” toys ex­pected to be top sell­ers this Christ­mas have “con­cern­ing vul­ner­a­bil­i­ties” that could pose a risk to child safety, a con­sumer group has warned.

Which? said its test­ing found four toys — the Furby Con­nect, i-Que In­tel­li­gent Robot, Toy-Fi Teddy, and Cloud Pets — could be used by a stranger to talk to a child.

The test­ing found that the Blue­tooth con­nec­tion in each of the toys had not been se­cured, mean­ing the hacker used for the in­ves­ti­ga­tion did not need a pass­word, PIN, or any other au­then­ti­ca­tion to achieve ac­cess.

In ad­di­tion, “very lit­tle tech­ni­cal know-how” was needed to gain ac­cess to the toys to start shar­ing mes­sages with a child, the watch­dog said.

Which? has writ­ten to re­tail­ers call­ing on them to stop sell­ing toys with proven se­cu­rity is­sues fol­low­ing its snap­shot test in col­lab­o­ra­tion with Ger­man con­sumer group Stiftung War­entest and other se­cu­rity re­search ex­perts.

The test­ing found any­one within a 10m-30m Blue­tooth range of the Furby could con­nect to the toy when it was switched on, with no phys­i­cal in­ter­ac­tion re­quired be­cause it does not use any se­cu­rity fea­tures when pair­ing.

The in­ves­ti­ga­tion also found that any­one could down­load the app for the iQue In­tel­li­gent Robot, find one of the toys within Blue­tooth range and start chat­ting us­ing the robot’s voice by typ­ing into a text field.

Which? found the Cloud Pets toy could be hacked via its un­se­cured Blue­tooth con­nec­tion and made to play their voice mes­sages, while the Toy-Fi Teddy lacked any au­then­ti­ca­tion pro­tec­tions, mean­ing the watch­dog’s hack­ers could send their voice mes­sages to a child and re­ceive an­swers back.

Alex Neill, Which? man­ag­ing di­rec­tor of home prod­ucts and ser­vices, said: “Con­nected toys are be­com­ing in­creas­ingly pop­u­lar but, as our in­ves­ti­ga­tion shows, any­one con­sid­er­ing buy­ing one should ap­ply a level of cau­tion.

“Safety and se­cu­rity should be the ab­so­lute pri­or­ity with any toy. If that can’t be guar­an­teed, then the prod­ucts should not be sold.”

Vivid Imag­i­na­tions, which dis­trib­utes the i-Que robot toy, told Which? that the toys fully com­ply with the Toy Safety Di­rec­tive and Euro­pean stan­dards.

It said: “Vivid have been aware of re­cent re­ports on con­nected toys that we dis­trib­uted on be­half of the man­u­fac­turer Ge­n­e­sis since 2014. Whilst some of these re­ports high­light po­ten­tial vul­ner­a­bil­ity in the prod­ucts, there have been no re­ports of these prod­ucts be­ing used in a ma­li­cious way.

“While it may be tech­ni­cally pos­si­ble for a third party to con­nect to the toys, it re­quires a cer­tain se­quence of events to hap­pen in order to pair a Blue­tooth de­vice to the toy, all of which make it dif­fi­cult for the third party to re­motely con­nect to the toy.

“As a re­sult of the pub­lished re­ports, Vivid has been ac­tively in­volved in com­mu­ni­cat­ing the is­sues to the man­u­fac­turer. We will ac­tively pur­sue this mat­ter with them di­rectly.”

Has­bro, which makes the Furby Con­nect, said it took the Which? re­port “very se­ri­ously”, but be­lieved that ma­nip­u­lat­ing the toy would re­quire close prox­im­ity and “a num­ber of very spe­cific con­di­tions that would all need to be sat­is­fied in order to achieve the re­sult de­scribed by the re­searchers at Which?”.

“We feel con­fi­dent in the way we have de­signed both the toy and the app to de­liver a se­cure play ex­pe­ri­ence,” Has­bro added.

Spi­ral Toys de­clined to com­ment to Which? in re­la­tion to Cloud Pets and the Toy-Fi Teddy.

“Safety and se­cu­rity should be the pri­or­ity. If that can’t be guar­an­teed, the prod­uct should not be stocked

Clock­wise from above: Furby Con­nect, Cloud Pet, I-Que In­tel­li­gent Robot, and Toy-Fi Teddy pose risks to child safety.

Newspapers in English

Newspapers from Ireland

© PressReader. All rights reserved.