Parents warned of 'worrying' security risks in Christmas 'smart' toys

Connected toys have 'worrying' security issues

"You wouldn't let a young child play with a smartphone unsupervised and our investigation shows parents need to apply the same level of caution if considering giving a child a connected toy", said Alex Neill, the organization's managing director of home products and services.

Ahead of 2017's present buying season, United Kingdom consumer rights group Which? has warned parents about the risks of giving connected toys to their children, and called for devices with known security and/or privacy risks to be banned from sale on kids safety grounds.

Which? says in all cases it was found to be far too easy for someone to illicitly pair their own device to the toys and use the tech to talk to a child.

Hasbro, who creates the Furby Connect, said in a statement to The Guardian that the security concerns Which? created from specific conditions that would require "a tremendous amount of engineering ... to reverse-engineer the product as well as to create new firmware".

Vivid Imaginations, which distributed the i-Que robot for manufacturers Genesis, said while the toys may be vulnerable, "there have been no reports of these products being used in a malicious way".

After conducting a thorough investigation on how these toys work, the review site claims that some of them have "proven" security flaws. It especially highlights Bluetooth connections not having been properly secured - noting for example there was no requirement for a user to enter a password, PIN code or any other authentication to gain access.

This means that - in theory, at least - anyone could to manipulate the voice control of a popular toy and speak directly to your child.

Experts discovered that anyone can download the app, find an i-Que within Bluetooth range and start chatting using the robot's voice by typing into a text field.

Hackers can "easily" access toys with Bluetooth or wi-fi connections and talk to children, a new study has found.

Furby Connect, sold by Argos, Amazon, Smyths and Toys "R" Us, was found to be connectable by anyone within a 10-30 meter (33-98ft) Bluetooth range when it's switched on, with no physical interaction required.

CloudPets toys, on sale at Amazon, are stuffed animals that enable friends to send a child messages that are played on a built-in speaker.

However, Which? found the Bluetooth lacks any authentication protections, meaning hackers could send their voice messages to a child and receive answers back.

"These toys typically contain sensors, microphones, cameras, data storage components, and other multimedia capabilities-including speech recognition and Global Positioning System options", the agency wrote in the advisory, cautioning that certain toys could be hacked to record video and audio of children without their parents' knowledge.

The makers of the Cloud Pets and Toy-fi Teddy declined to comment.

However, Hasbro added that the vulnerability pointed out by Which? would require someone to be in close proximity to the toy and posses the technical knowledge to re-engineer the firmware.



Other news