Strangers using smart toys to talk to children
A number of connected or “smart” toys expected to be top sellers this Christmas have “concerning vulnerabilities” that could pose a risk to child safety, a consumer group has warned.
Which? said its testing found four toys — the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy, and Cloud Pets — could be used by a stranger to talk to a child.
The testing found that the Bluetooth connection in each of the toys had not been secured, meaning the hacker used for the investigation did not need a password, PIN, or any other authentication to achieve access.
In addition, “very little technical know-how” was needed to gain access to the toys to start sharing messages with a child, the watchdog said.
Which? has written to retailers calling on them to stop selling toys with proven security issues following its snapshot test in collaboration with German consumer group Stiftung Warentest and other security research experts.
The testing found anyone within a 10m-30m Bluetooth range of the Furby could connect to the toy when it was switched on, with no physical interaction required because it does not use any security features when pairing.
The investigation also found that anyone could download the app for the iQue Intelligent Robot, find one of the toys within Bluetooth range and start chatting using the robot’s voice by typing into a text field.
Which? found the Cloud Pets toy could be hacked via its unsecured Bluetooth connection and made to play their voice messages, while the Toy-Fi Teddy lacked any authentication protections, meaning the watchdog’s hackers could send their voice messages to a child and receive answers back.
Alex Neill, Which? managing director of home products and services, said: “Connected toys are becoming increasingly popular but, as our investigation shows, anyone considering buying one should apply a level of caution.
“Safety and security should be the absolute priority with any toy. If that can’t be guaranteed, then the products should not be sold.”
Vivid Imaginations, which distributes the i-Que robot toy, told Which? that the toys fully comply with the Toy Safety Directive and European standards.
It said: “Vivid have been aware of recent reports on connected toys that we distributed on behalf of the manufacturer Genesis since 2014. Whilst some of these reports highlight potential vulnerability in the products, there have been no reports of these products being used in a malicious way.
“While it may be technically possible for a third party to connect to the toys, it requires a certain sequence of events to happen in order to pair a Bluetooth device to the toy, all of which make it difficult for the third party to remotely connect to the toy.
“As a result of the published reports, Vivid has been actively involved in communicating the issues to the manufacturer. We will actively pursue this matter with them directly.”
Hasbro, which makes the Furby Connect, said it took the Which? report “very seriously”, but believed that manipulating the toy would require close proximity and “a number of very specific conditions that would all need to be satisfied in order to achieve the result described by the researchers at Which?”.
“We feel confident in the way we have designed both the toy and the app to deliver a secure play experience,” Hasbro added.
Spiral Toys declined to comment to Which? in relation to Cloud Pets and the Toy-Fi Teddy.
“Safety and security should be the priority. If that can’t be guaranteed, the product should not be stocked
Clockwise from above: Furby Connect, Cloud Pet, I-Que Intelligent Robot, and Toy-Fi Teddy pose risks to child safety.