Which? warns IoT devices must become more secure or be removed from shelves ahead of the festive season.
Connected children’s toys using Bluetooth, Wi-Fi and mobile apps may do more harm than good following some worrying revelations from Which?
Hack tests were carried out by the consumer watchdog as part of research aiming to demonstrate the vulnerability of smart toys as a result of insecure connections.
The report revealed that four out of seven of the most popular internet of things (IoT) devices could be hacked by imposters manipulating insecure connections, potentially allowing strangers to communicate with children.
Most smart toys rely on Bluetooth connections to enable functionality, with Which? finding these toys to be the most insecure due to the lack of authentication processes, such as passwords.
Bluetooth does have a 10 metre limit to its range; however this in itself brings concerns to parents as it means immediate threats to their child are likely to be from someone in close proximity.
Furthermore, the findings highlight that the range of Bluetooth could be extended and picked up by hackers further afield, such as in a vehicle down the road.
Out of all the devices, probably the most known is the Furby Connect which was found to contain a flaw that let anyone with the range of the device connect to it. Researchers then ‘hacked’ the device and inserted an audio file to the toy, which could contain any malicious material including inappropriate content.
In response to the report findings the maker of Furby Connect, Hasbro, said: “We feel confident in the way we have designed both the toy and the app to deliver a secure play experience. The toy and app were not designed to collect users’ name, address or permit users to create profiles to allow Hasbro to personally identify them.”
Other common toys found to have security flaws also included Amazon’s Toy-Fi Teddy, which allows children to send and receive recorded messages using a smartphone or tablet application. Hackers were able to very easily tap into the device and send their own messages to the toy, receiving replies from the child.
Further problems came with Amazon devices as hackers took control of the voice unit in CloudPets, which enabled them to not only communicate with children buy give commands to Amazon Echo devices.
Following the research, Which? urged manufacturers to make children’s smart toys more secure ahead of Black Friday and Christmas. If security is not improved, the company suggests removing the products from shelves in order to protect children.
Alex Neill, Which? Managing Director of Home Products and Services, said:
“Connected toys are becoming increasingly popular, but as our investigation shows, anyone considering buying one should apply a level of caution.
“Safety and security should be the absolute priority with any toy. If that can’t be guaranteed, then the products should not be sold.”