Connected toys can be hacked by 'almost anyone'

Security failures turned up in the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy, and CloudPets.

Which? found that there was no sort authentication process between the toys and the Bluetooth-enabled devices they connect with, Despite the fact at least two of the manufacturers said they took security very seriously, lack of authentication means that anyone within range could take control of the toy and access any data stored there.

Once hackers had connected to the toys they were able to send messages, which would then be heard by children playing with the toy.

Alex Neill, from Which?, said: "Connected toys are becoming increasingly popular, but as our investigation shows, anyone considering buying one should apply a level of caution".

"While there is no denying the huge benefits these devices can bring to our daily lives, safety and security should be the absolute priority. If that can't be guaranteed, then the products should not be sold".

Vivid Imagination, who produce the I-Que robot, said that they would review Which?'s claims, but insisted that they had never received reports of the toys "being used in a malicious way".

Toy-fi Teddy allows a child to send and receive personal recorded messages over Bluetooth via a smartphone or tablet app.

As toy makers outdo one another in the race to pack ever more tech-enhanced features into their toys, including Wi-Fi and Bluetooth connectivity, regulators are trying to keep up to reduce the risk of exploitation.

The tests were carried out in association with Which?'s German counterpart, Stiftung Warentest, and security researchers.

Which? is asking all retailers - such as Argos, Amazon ad Toys R Us - to stop selling smart toys with known security problems.

"While it may be technically possible for a third party to connect to the toys, it requires a certain sequence of events to happen in order to pair a Bluetooth device to the toy, all of which make it hard for the third party to remotely connect to the toy".

Hasbro, manufacturer of the Furby, took issue with Which?'s test.

"These toys typically contain sensors, microphones, cameras, data storage components, and other multimedia capabilities-including speech recognition and Global Positioning System options", the agency wrote in the advisory, cautioning that certain toys could be hacked to record video and audio of children without their parents' knowledge.

"A tremendous amount of engineering would be required to reverse engineer the product as well as to create new firmware".

The company said it was "confident" in the design of its toys and its ability to deliver a "secure play experience".

A spokesperson for Amazon declined to comment about the Furby Connect and Toy-Fi Teddy.

"We are aware of the Which? report, but understand the circumstances in which these investigations have taken place rely on a flawless set of circumstances and manipulation of the toys and the software that make the outcome highly unlikely in reality".

Vanessa Coleman

Comments