Connected Toys Could Let Hackers Access Children

Internet Connected Toys Could Put Children at Risk Because of Security Flaw

A consumer watchdog group is urging toy retailers to take some connected toys off the shelves this Christmas. The group says security flaws in the toys can put children at risk of hackers talking to them while the toy is in use. The Guardian says the consumer advocates are specifically worried about Wi-Fi and Bluetooth enabled toys after an investigation revealed troubling failures.

The Investigation

According to the article, investigations launched by Which? and a German consumer watchdog group, Stiftung Warentest, found that “smart” toys can let strangers talk to the child who is playing with the toy. The alarming results found that 4 of the 7 connected toys tested could be used to chat with children. The article mentions Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy and CloudPets, all of which are expected to be popular this holiday season.

The Guardian states that the researchers were able to access the toys through unsecured connections.  Meaning that the potential “hacker” would not need a password, pin, or any other form of authentication to gain access. It also means that someone with limited technical knowledge may be able to access the toys and start sharing messages with young children.

  • The Furby Connect, which the article says can be found on Amazon, Toys R Us, and other retailers, could be connected with any device within a Bluetooth range of 30 to 90 feet.
  • The i-Que Intelligent Robot, available from Argos and Hamleys, comes with an app. The researchers discovered that anyone who downloads the app and finds a i-Que Intelligent Robot in range can use the toy’s voice by simply typing into a text field on the app. A similar toy made by the same company as this robot, Genesis, has been banned in Germany because of this serious concern.
  • CloudPets are on sale at Amazon. They are stuffed animals that let friends send messages that are played on a built-in speaker. But the investigation found the function could be hacked through Bluetooth.
  • The Toy-Fi Teddy, on sale on Amazon, lets kids send and receive voice messages over Bluetooth from a smartphone or tablet. The article says researchers found that the Bluetooth connection had zero authentication protections.

Connected Toy Makers Respond

The Guardian quotes the head researcher from Which? as saying that connected toys are increasingly popular, but parents should proceed with caution. Their group believes if the toys are deemed “unsecured” then they should be pulled from shelves right away.

The toy makers seem to have mixed reactions. Argos said in a statement: “The safety of the products we sell is extremely important to us. We haven’t received any complaints about these products but we are in close contact with the manufacturers, who are already looking into [these] recommendations.”

The makers of Furby Connect, Hasbro, said through a statement that “Children’s privacy is a top priority.” Also, that despite the investigation, they are “confident in the way we have designed both the toy and the app to deliver a secure play experience.”

Hasbro is also a member of The British Toy and Hobby Association. This group believes “the circumstances in which these investigations have taken place rely on a perfect set of circumstances and manipulation of the toys and the software that makes the outcome highly unlikely in reality.”

It’ll be up to parents to decide if the connected toys are worth the potential risk.

Jeffrey A. Newman represents whistleblowers: 1-800-682-7157