An investigation found security flaws in ‘intelligent’ toys such as CloudPets and Hasbro’s Furby Connect
This article titled “Strangers can talk to your child through ‘connected’ toys, investigation finds” was written by Rebecca Smithers Consumer affairs correspondent, for theguardian.com on Tuesday 14th November 2017 08.46 UTC
A consumer group is urging major retailers to withdraw a number of “connected” or “intelligent” toys likely to be popular at Christmas, after finding security failures that it warns could put children’s safety at risk.
Tests carried out by Which? with the German consumer group Stiftung Warentest, and other security research experts, found flaws in Bluetooth and wifi-enabled toys that could enable a stranger to talk to a child.
The investigation found that four out of seven of the tested toys could be used to communicate with the children playing with them. Security failures were discovered in the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy and CloudPets.
With each of these toys, the Bluetooth connection had not been secured, meaning the researcher did not need a password, pin or any other authentication to gain access. Little technical knowhow was needed to hack into the toys to start sharing messages with a child.
When switched on, the Furby Connect – on sale at Argos, Amazon, Smyths and Toys R Us – could be connected with any device within a Bluetooth range of 10 to 30 metres.
With the i-Que Intelligent Robot, available from Argos and Hamleys, the investigation discovered that anyone could download the app, find an i-Que within their Bluetooth range and start using the robot’s voice by typing into a text field. The toy is made by Genesis, which also manufactures the My Friend Cayla doll, recently banned in Germany owing to security and hacking concerns. Both toys are distributed in the UK by Vivid.
CloudPets toys, on sale at Amazon, are stuffed animals that enable friends to send a child messages that are played on a built-in speaker. But Which? found the toy could be hacked via its unsecured Bluetooth connection.
Also available from Amazon, the Toy-Fi Teddy allows a child to send and receive recorded messages over Bluetooth via a smartphone or tablet app. Which? found the Bluetooth connection lacked any authentication protections, meaning hackers could send voice messages to a child and receive answers.
“Connected toys are becoming increasingly popular, but as our investigation shows, anyone considering buying one should apply a level of caution,” said Alex Neill, the managing director of home products and services at Which?. “Safety and security should be the absolute priority with any toy. If that can’t be guaranteed, then the products should not be sold.”
Which? has written to retailers to urge them to stop selling connected toys that have proven security issues.
Argos said in a statement: “The safety of the products we sell is extremely important to us. We haven’t received any complaints about these products but we are in close contact with the manufacturers, who are already looking into [these] recommendations.”
Hasbro, which makes the Furby Connect, said: “Children’s privacy is a top priority, and that is why we carefully designed the Furby Connect and the Furby Connect World app to comply with children’s privacy laws. We feel confident in the way we have designed both the toy and the app to deliver a secure play experience.”
The British Toy and Hobby Association, of which Vivid and Hasbro are members, said: “The industry takes its responsibilities incredibly seriously when making products for children, with BTHA members investing heavily in everything from toy safety to data privacy and online security.
“We are aware of the Which? report, but understand the circumstances in which these investigations have taken place rely on a perfect set of circumstances and manipulation of the toys and the software that make the outcome highly unlikely in reality.”
guardian.co.uk © Guardian News & Media Limited 2010
Lead Image: Researchers found CloudPets could be hacked via their unsecured Bluetooth connection. Photograph: Cloudpets/Spiral Toys