Which? has exposed serious security flaws with popular children’s smart toys and is calling for the next government to introduce mandatory security standards to prevent unsecure products being available for sale.
The consumer champion, with security specialist NCC Group, conducted a snapshot test of connected toys sold by major retailers – including Amazon, Argos, John Lewis and Smyths – and found they are lacking in basic security which leaves them vulnerable to being hacked and could even enable a stranger to talk to a child.
The Department for Digital, Culture, Media & Sport (DCMS) established a new voluntary code in October 2018 to improve the security of connected technology products, but most manufacturers have failed to sign up – only three have signed up publicly – and the threat of unsecure products continues.
Which? is calling for it to be made mandatory for manufacturers to ensure smart products meet appropriate security standards in order to go on sale.
Which? looked at seven popular devices and found that with three of them, a stranger could exploit flaws in the design to communicate with a child.
A security flaw in the £30 Vtech KidiGear Walkie Talkies could allow someone to start a two-way conversation with a child from a distance of up to 200 meters.
The consumer champion also found security flaws in popular children’s karaoke products ‘Karaoke microphone’, sold online by relatively unknown brand Xpassion/Tenva, and ‘Singing Machine SMK250PP’ by Singing Machine. Both could allow people within 10 meters to send recorded messages to a child because the Bluetooth has no authentication, such as a PIN.
Which?’s tests also revealed the Boxer Robot, an interactive Artificial Intelligence robot, Mattel Bloxels, a board game and educational web portal, coding game Sphero Mini and the ‘Singing Machine’ were all found to have security issues which leave them open to hacking. Users are not required to create strong passwords for their online accounts meaning their personal data could be at risk if the account is compromised, or if the company running the online service suffered a data breach.
Two of the seven products Which? looked at – Bloxels and Sphero Mini – also had no filter to prevent explicit language or offensive images being uploaded to their online platforms. Any child using the public portal or app on these products could then see or hear this content.
Which? is now calling on the next government to introduce a mandatory requirement for connected devices to be appropriately secured before they reach the point of sale in the UK.
Industry must also show it is taking the security of internet-enabled and smart products seriously by introducing basic level security as a first step. This includes ensuring devices require a unique password before use, they have data encryption, as well as consistent security updates.
Natalie Hitchins, Which? Head of Home Products and Services, said:
“While there is no denying the huge benefits smart gadgets can bring to our daily lives, the safety and security of users should be the absolute priority.
“The next government must ensure manufacturers design connected tech products with security as paramount if it is going to prevent unsecure products ending up in people’s homes.”
Tips on how to buy and use smart toys
- Read the description of the connected toy carefully in the shop or online. Find out what the toy actually does and how your child will interact with it. Toys such as the Rizmo – an interactive cuddly toy that was also tested and didn’t raise concerns – don’t require an external network connection or mobile app, and so the risk to your child is lower.
- Search online to see if there have been any security concerns raised about the toy previously, such as a leak of personal data. If you are at all concerned, consider a non-smart toy instead.
- If you do buy a smart toy, submit only the minimal amount of personal data required when setting up an account for your child. So, not too much data is exposed if things do go wrong. Do set strong passwords, though, to ensure any accounts are properly protected.
- Keep an eye on your child when they’re playing with the smart toy, particularly if it can send or receive messages. It is not advisable to leave them unsupervised.
- When your child is not playing with the smart toy, make sure you turn it off completely so that it is not vulnerable to being exploited.
For further information visit: https://www.which.co.uk/reviews/toys/article/smart-toys-should-you-buy-them
Notes to editors:
- Which? carried out its investigation in collaboration with NCC Group – security testing, audit and compliance experts.
- The toys Which? tested were selected based on the fact that they use some sort of smart or connected technology, they are available in at least one major retailer (or more) and they’re popular with consumers (eg, they have lots of user reviews or they have been placed on ‘top seller’ or curated lists). These products are sold on the websites of at least one, or more of Amazon, Argos, John Lewis and Smyths – and are also available from other retailers.
- Images are available on request.
- Which?’s consumer agenda for government: https://www.which.co.uk/policy/consumers/5198/consumeragenda
- The three manufacturers to publicly sign up to the DCMS code are HP Inc., Centrica Hive Ltd and Green Energy Options (geo) Ltd. The website also states: ‘In addition to the pledges listed on these pages a number of private pledges from companies have also been received which are not listed here’: https://www.gov.uk/government/collections/secure-by-design#scope-of-applicability
Rights of reply
Vtech KidiGear Walkie Talkies
When we contacted Vtech, it qualified some aspects of our research, including the specific scenario in which a stranger could use a walkie talkie to contact a child.
The company confirmed that if a child turned on just one of their walkie talkies from it being off, an attacker with another walkie talkie within the 200m range could turn theirs on which would initiate a pairing. They would only have a 30 second initial window to make the pairing, although this could be extended to 60 seconds if the pair isn’t initially successful.
Anyone can pair within the time window once a device has been turned off and on again – such a connection is not unique to the first time of use.
Based on all this information we have gathered, we believe that there is a risk of someone observing a child playing with the walkie talkies and exploiting the above scenario.
A spokesperson for VTech commented: “Further to the recent Which? findings, we would like to reassure consumers on the safety of the VTech KidiGear Walkie Talkies which uses the industry standard AES encryption to communicate. The pairing of KidiGear Walkie Talkies cannot be initiated by a single device. Both devices have to start pairing at the same time within a short 30 second window in order to connect.”
Vtech also noted that if the child’s walkie talkie is already paired in a conversation with another walkie talkie user, such as a parent, a third handset owned by a stranger is unable to pair.
We were unable to contact the company selling the karaoke microphone toy. This was despite us using the online contact forms on Amazon (which fulfilled delivery of the product for seller Xpassion/TENVA) and contacting Amazon directly to request assistance in tracking down someone to review our findings.
‘Singing Machine SMK250PP’ karaoke machine
Singing Machine attempted to claim that this user would need to manually enter Bluetooth pairing mode in order to add a new device. However, our testing showed otherwise. When we tested, we paired with an iPhone, streamed some audio, then turned off Bluetooth on the iPhone, at which point we were immediately able to connect a new device (a Windows laptop) and stream Bluetooth audio. So as long as the machine is on and is listening for Bluetooth connections, it will happily connect with any Bluetooth streaming device that initiates communication with it – there’s no authentication of devices that connect to it, and there’s no need to power it off or press a button to pair with a new device. On 4 December, we did a re-test of this with the machine that we have to be sure, and got the same result.
In a statement, Singing Machine said: “Safety is top priority (sic) with every Singing Machine product produced, as demonstrated by our 37 year history without a product recall. We follow industry best practices as well as all applicable safety and testing standards.”
Mattel FFB15 Bloxels Build Your Own Video Game
Mattel and Pixel Press (maker of Bloxels Edu portal) declined to comment. The board game has now been discontinued, but was still available to buy on 4 December 2019 and the Bloxels Edu online portal remains live.
Sphero Mini interactive toy
Sphero did not respond in time to our request for comment.
The actual toy element of the robot isn’t too bad and doesn’t pose a risk to the child or parents. However, there are some account and password security issues that need addressing by the manufacturer, Spinmaster US.
Spinmaster, maker of the Boxer toy, pointed out that there’s no need to set up an account via the Spinmaster US website to use the Boxer toy or the companion Android/iOS app (which doesn’t require a login).
However, there is a link to the Spinmaster US site on the Boxer website, so we feel that someone could be persuaded to click through and set up an unsecure account.
This interactive cuddly toy was tested and didn’t raise concerns.