Strangers could be communicating with children through smart toys by hacking Bluetooth connections, consumer group Which? has warned. It says an investigation found no password and little technical knowledge was needed to hijack loudspeakers built into the toys.
Popular Christmas gifts including the I-Que Intelligent Robot, Furby Connect, Toy-fi Teddy and CloudPets cuddly toy had “worrying security failures” when investigated. Which? has now called on retailers to stop selling the toys with “proven issues.”
Which? found there was no authentication required between the toys and the devices they could link with via Bluetooth and Wi-Fi. The lack of authentication means that, in theory, any device within physical range could link to the toy and take control or send messages, the watchdog said.
“In each of the toys, the Bluetooth connection had not been secured, meaning during the tests the hacker didn’t need a password, PIN code or any other authentication to get access,” the report read. “In addition, very little technical know-how was needed to gain access to the toys to start sharing messages with a child.”
In collaboration with German consumer group Stiftung Warentet, Which? tested connected toys on sale at major retailers. The investigation found that people could use a toy to communicate with a child in four out of the seven devices tested.
Furby Connect, sold by Argos, Amazon, Smyths and Toys ‘R’ Us, was found to be connectable by anyone within a 10-30 meter (33-98ft) Bluetooth range when it’s switched on, with no physical interaction required. It does not use any security features when pairing. The connection can be made through a laptop, opening up more opportunities to control the toy. “Our security experts were able to upload and play a custom audio file on the Furby,” the report said.
The I-Que Intelligent Robot, which has featured on the Hamleys top toys Christmas list, uses Bluetooth to pair with a phone or tablet through an app, with an unsecured connection. Anyone can download the app, find one of the talking robots within Bluetooth range, and start chatting using the robot’s voice by typing into a text field, the Which? investigation found.
CloudPets is a stuffed animal and enables friends to send messages to a child, which are played back on a built-in speaker. Which? found someone could hack the toy via its unsecured Bluetooth connection and make it play their own voice messages.
Toy-fi Teddy allows a child to send and receive personal recorded messages over Bluetooth via a smartphone or tablet app. The Bluetooth feature lacks any authentication protection, however, meaning hackers can send voice messages to a child and receive answers back.