Which? has uncovered concerning vulnerabilities in connected toys that could pose a child safety risk and is calling for retailers to stop selling toys with proven security issues.
Which? had concerns about a number of connected toys so, in collaboration with German consumer group Stiftung Warentet and other security research experts, has conducted a snapshot test into popular Bluetooth or Wi-Fi toys on sale at major retailers.
This has revealed concerning vulnerabilities in several devices that could enable a stranger to talk to a child.
The investigation found that someone could use a toy to communicate with a child in four out of the seven devices tested. It revealed worrying security failures with the Furby, I-Que Intelligent Robot, Toy-fi Teddy, and CloudPets cuddly toy.
In each of the toys the Bluetooth connection had not been secured, meaning during the tests our hacker didn’t need a password, PIN code or any other authentication to get access. In addition, very little technical know-how was needed to gain access to the toys to start sharing messages with a child.
Of the toys we discovered could be hacked:
- Furby Connect is available at Argos, Amazon, Smyths and Toys R Us and Toys R Us ranked this as a Christmas toy to have last year. Anyone within a 10-30 metre Bluetooth range can connect to the toy when it’s switched on, with no physical interaction required. This is because it does not use any security features when pairing. Plus, you can make the connection via a laptop, opening up more opportunities to control the toy. Our security experts were able to upload and play a custom audio file on the Furby.
- The I-Que Intelligent Robot, has previously featured on Hamleys top toys Christmas list and is available from Argos and Hamleys. This brightly coloured talking robot uses Bluetooth to pair with a phone or tablet through an app, but the connection is unsecured. Which?’s investigation discovered that anyone can download the app, find an i-Que within Bluetooth range and start chatting using the robot’s voice by typing into a text field. The toy is made by Genesis Toys, the same manufacturer as the Cayla doll which was recently banned in Germany due to security and hacking concerns.
- CloudPets, available from Amazon, comes as a stuffed animal and enables friends to send messages to a child, played back on a built-in speaker. Which? found someone could hack the toy via its unsecured Bluetooth connection and make it play their own voice messages.
- Toy-fi Teddy, available from Amazon, is a teddy that allows a child to send and receive personal recorded messages over Bluetooth via a smartphone or tablet app. However, Which? found the Bluetooth lacks any authentication protections, meaning our hackers could send their voice messages to a child and receive answers back.
Which? has now written to retailers to urge them to stop selling connected toys that have proven security issues.
Alex Neill, Which? Managing Director of Home Products and Services, said:
“Connected toys are becoming increasingly popular, but as our investigation shows, anyone considering buying one should apply a level of caution.
“Safety and security should be the absolute priority with any toy. If that can’t be guaranteed, then the products should not be sold.”
Notes to Editors
- Which? carried out its investigation in collaboration with German consumer group Stiftung Warentet and other security researchers including Context IS.
- Security research experts, Context IS uncovered vulnerabilities with the Furby. Context was able to build upon some previous work by Florian Euchner (see https://github.com/Jeija/bluefluff) to upload and play a custom audio file on the Furby. This audio file could be anything, including inappropriate material.
- Which? also tested the Wowee Chip, a robot dog which has the same Bluetooth vulnerabilities, but hackers found they could only take remote control of the toy, not speak to a child.
- The Fisher-Price Smart Toy Bear and Mattel Hello Barbie were tested for security issues too. Which?’s findings weren’t as concerning, but both toys have featured in the media previously with alleged hacking risks.
Rights of reply
i-Que – Vivid Imaginations
“Vivid have been aware of recent reports on connected toys that we distributed on behalf of the manufacturer Genesis since 2014. Within these reports it raises the issues of the security of the user which we take very seriously. Whilst some of these reports highlight potential vulnerability in the products, there have been no reports of these products being used in a malicious way. While it may be technically possible for a third party (someone other than the intended user) to connect to the toys, it requires certain sequence of events to happen in order to pair a Bluetooth device to the toy, all of which make it difficult for the third party to remotely connect to the toy.
“As a result of the published reports Vivid has been actively involved in communicating the issues to the manufacturer. Your technical recommendations to add Bluetooth authentication as a firmware update to the toy and app would need to be reviewed and, if feasible, implemented by Genesis. We will actively pursue this matter with them directly. In Conclusion, the connected toys distributed by Vivid, fully comply with essential requirements of the Toy Safety Directive and harmonised European standards and consider these product to be safe and for consumers to use when following the user instructions.”
Furby Connect – Hasbro
“At Hasbro, children’s privacy is a top priority, and that is why we carefully designed the FURBY CONNECT toy and the FURBY CONNECT WORLD app to comply with children’s privacy laws. In support of this, we also engaged a third party to perform security testing on the FURBY CONNECT toy and FURBY CONNECT WORLD app. We carefully reviewed the report, and take this very seriously. While the researchers at Which? identified ways to manipulate the FURBY CONNECT toy, we believe that doing so would require close proximity to the toy, and that there are a number of very specific conditions that would all need to be satisfied in order to achieve the result described by the researchers at Which?, including reengineering the FURBY CONNECT toy, creating new firmware, and then updating the firmware, which requires being within Bluetooth range while the FURBY CONNECT toy is in a “woke” state. A tremendous amount of engineering would be required to reverse engineer the product as well as to create new firmware.
“We feel confident in the way we have designed both the toy and the app to deliver a secure play experience. The FURBY CONNECT toy and FURBY CONNECT WORLD app were not designed to collect users’ name, address, online contact information (e.g., user name, email address, etc.) or to permit users to create profiles to allow Hasbro to personally identify them, and the experience does not record your voice or otherwise use your device’s microphone.”
Cloud Pets & Toy Fi – Spiral Toys
Declined to comment.
“The safety of the products we sell is extremely important to us. We haven’t received any complaints about these products but we are in close contact with the manufacturers, who are already looking into your recommendations.”
Don’t sell the products on test and haven’t so far made a general comment.
Toys R Us and Smyths
Referred to manufacturer comments.
“We will decline to comment on the Furby Connect and Toy-Fi Teddy.”
Doesn’t sell any products on test, but has agreed to engage with us on about the topic.