Which? investigation finds security flaws in ‘intelligent’ toys such as CloudPets, Hasbro’s Furby Connect, and i-Que Intelligent Robot.
After finding security failures that could put a child’s safety at risk, UK consumer watchdog Which? urged major toy retailers to withdraw a number of toys that are expected to be popular at Christmas.
An investigation carried out by Which? with the German consumer group Stiftung Warentest, and other security research experts, found issues with Bluetooth and wifi-enabled toys that could allow strangers to talk to a child.
The investigation found that four out of seven of the tested toys could be used to talk to the children playing with them. These included the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy and CloudPets.
With each of these toys, the Bluetooth connection had not been secured, meaning that person didn’t need a password, pin code or any other authentication to gain access. Little technical knowledge was needed to hack into these toys to start a conversation with a child.
CloudPets toys, on sale at Amazon, are stuffed animals that enable friends to send a child message that is played on a built-in speaker. But investigators found the toy could be hacked via its unsecured Bluetooth connection.
Also available from Amazon, the Toy-Fi Teddy allows a child to send and receive recorded messages over Bluetooth via a smartphone or tablet app. Which? found the Bluetooth connection lacked any authentication protections, meaning hackers could send voice messages to a child and receive answers.
When buying toys, people should be aware of whether it has microphone, cameras or Bluetooth connections attached and advised that people should read the packaging and manuals that come with toys to see how these sensors work and what you can do to control them.
Which? has written to retailers to urge them to stop selling connected toys that have proven security issues.