Smart toys have big security flaws, consumer group finds


Consumer testing experts are urging retailers to stop selling children's toys which connect to wifi or Bluetooth. It says an investigation found no password and little technical knowledge was needed to hijack loudspeakers built into the toys.

Consumer group Which? said an investigation found "worrying security failures" with the I-Que Intelligent Robot, Furby Connect, Toy-fi Teddy, and CloudPets cuddly toy.

The FBI warned parents back in July about the potential issues with connected toys, saying that smart toys often use cameras, sensors and microphones, which could all create security issues. The lack of authentication means that, in theory, any device within physical range could link to the toy and take control or send messages, the watchdog said.

With each of these toys, the Bluetooth connection had not been secured, meaning the researcher did not need a password, pin or any other authentication to gain access.

The study found that four out of seven of the tested toys could be used to communicate with the children playing with them, The Guardian reports.

Furby Connect, sold by Argos, Amazon, Smyths and Toys "R" Us, was found to be connectable by anyone within a 10-30 meter (33-98ft) Bluetooth range when it's switched on, with no physical interaction required.

The brightly coloured talking robot uses Bluetooth to pair with a phone or tablet through an app, but the connection is unsecured.

As more toys add Wi-Fi and Bluetooth connections to pack in new skills and features, regulators have kept a wary eye on them for security vulnerabilities.

Vivid Imaginations, which distributes the i-Que robot toy, told Which? it will "actively pursue this matter" with the manufacturer after "communicating the issues" raised in the published reports.

CloudPets, available from Amazon, come as a stuffed animal and enable friends to send messages to a child, played back on a built-in speaker.

The toys rely on Bluetooth connections to enable some of their features, including using a toy's voice to replay anything typed into a text box, but these were found to have been misconfigured and as a effect could be easily hacked.

Alex Neill, the group's managing director of home products and services, said: "Connected toys are becoming increasingly popular but, as our investigation shows, anyone considering buying one should apply a level of caution".

A spokesperson for Hasbro, which makes the Furby Connect, said that children's privacy was a "top priority" and that they were created to comply with children's privacy laws.

The company said it was "confident" in the design of its toys and its ability to deliver a "secure play experience".

"We are aware of the Which? report, but understand the circumstances in which these investigations have taken place rely on a ideal set of circumstances and manipulation of the toys and the software that make the outcome highly unlikely in reality", the association said.