Hackers can 'talk to your children' through connected toys

A child safety warning has been issued over ‘smart’ toys that can be hacked via their Bluetooth connections. The security loophole means that it is possible for strangers to connect to the toys and talk to children without their parents’ knowledge

A child safety warning has been issued over ‘smart’ toys that can be hacked via their Bluetooth connections. The security loophole means that it is possible for strangers to connect to the toys and talk to children without their parents’ knowledge

A recent investigation by consumer group Which? found that some of this year's must-have toys, such as Furby Connect, i-Que Intelligent Robot, Toy-fi Teddy and CloudPets can all be accessed via Bluetooth or Wi-Fi connections.

Experts discovered that anyone can download the app, find an i-Que within Bluetooth range and start chatting using the robot's voice by typing into a text field.

Which? found there was no authentication required between the toys and the devices they could link with via Bluetooth and Wi-Fi.

"Sadly, there have been many examples in the past two to three years of connected toys that have security flaws that put children at risk", he said. Researchers were then able to upload a custom audio file to the toy, which could be anything given the lack of restrictions, including inappropriate material.

CloudPets is a stuffed animal and enables friends to send messages to a child, which are played back on a built-in speaker.

Alex Neill, the organisation's managing director of home products and services, said: "Connected toys are becoming increasingly popular, but as our investigation shows, anyone considering buying one should apply a level of caution".

All four toys feature unsecured Bluetooth connections, meaning the security testers were not required to supply a password or PIN to gain access to the device. "If that can't be guaranteed, then the products should not be sold".

Which? found the Cloud Pets toy could be hacked via its unsecured Bluetooth connection and made to play their voice messages, while the Toy-Fi Teddy lacked any authentication protections, meaning the watchdog's hackers could send their voice messages to a child and receive answers back.

Vivid Imagination, who produce the I-Que robot, said that they would review Which?'s claims, but insisted that they had never received reports of the toys "being used in a malicious way".

"While it may be technically possible for a third party to connect to the toys, it requires a certain sequence of events to happen in order to pair a Bluetooth device to the toy, all of which make it hard for the third party to remotely connect to the toy".

Vivid said it would be speaking to Genesis about improving security on the robot.

The I-Que Intelligent Robot (left) has previously featured on Hamleys top toys Christmas list. "That is why we carefully designed the Furby Connect toy and the Furby Connect World app to comply with children's privacy laws". It said: "We believe that [hacking into the toy] would require close proximity to the toy, and that there are a number of very specific conditions that would all need to be satisfied in order to achieve the result described".

IT Pro has asked for comment from Spiral Toys, which makes the Toy-fi Teddy, and CloudPets, but the companies have yet to issue a comment on Which?'s report.

The British Toy & Hobby Association (BTHA) played down the significance of the Which? research.

Notícias recomendadas

We are pleased to provide this opportunity to share information, experiences and observations about what's in the news.
Some of the comments may be reprinted elsewhere in the site or in the newspaper.
Thank you for taking the time to offer your thoughts.