Which? Has Warned Retailers About Connected Toys Because of 'Worrying' Security

Adjust Comment Print

The DPC said any interactions a child might have with these kinds of toys are a potentially sensitive matter. Repeat that mantra to yourself every time you think about buying a connected device that uses the internet to communicate.

The toys rely on Bluetooth connections to enable some of their features, including using a toy's voice to replay anything typed into a text box, but these were found to have been misconfigured and as a outcome could be easily hacked.

The consumer body worked in conjunction with German watchdog Stiftung Warentet and third-party security experts to test seven different toys, four of which failed the test. The flaws were found in popular toys such as Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy and CloudPets.

As with anything technological, once hackers connect to the toys they are able to send messages, which can then be heard as the child plays with the toy.

It allows anyone within 10-30m of the toy to connect to it from a Bluetooth phone or laptop, and to make it play a custom audio file.

These unsecure connections meant that researchers didn't need a password or a PIN to access the device and that very little technical know-how was needed to take control of the voice module.

Which? has written to retailers calling on them to stop selling toys with proven security issues. "If that can't be guaranteed, then the products should not be sold".

Here's how long you have left to spend your old £10 notes
If you still have an old £10 note in your wallet, it's time to spend it. After that date, only the new polymer £10 notes will be legal tender.


Which? also criticised the I-Que Intelligent Robot, which has previously appeared on Hamleys' "top toys" Christmas list.

Vivid Imaginations, which distributed the i-Que robot for manufacturers Genesis, said while the toys may be vulnerable, "there have been no reports of these products being used in a malicious way".

Which? has called for all connected toys with known privacy or security issues to be taken off sale before parents begin their Christmas shopping.

"The Furby Connect toy and Furby Connect World app were not designed to collect users' name, address, online contact information (eg, username, email address, etc.) or to permit users to create profiles to allow Hasbro to personally identify them, and the experience does not record your voice or otherwise use your device's microphone", it added.

It said: "We believe that [hacking into the toy] would require close proximity to the toy, and that there are a number of very specific conditions that would all need to be satisfied in order to achieve the result described".

It said: 'While it may be technically possible for a third party (someone other than the intended user) to connect to the toys, it requires certain sequence of events to happen in order to pair a Bluetooth device to the toy, all of which make it hard for the third party to remotely connect to the toy'.

Spiral Toys, the maker of Cloud Pets and Toy-Fi Teddy, has declined to comment on the concerns raised.

Comments