Hackers can 'talk to your children' through connected toys

Four out of seven IoT toys use insecure Bluetooth connections - report

New research has found that many leading internet-enabled toys contain security flaws that allow hackers to talk directly to a child, prompting calls for retailers to pull affected products from the shelves before the Christmas rush.

Tests revealed that four out of seven of some of the most popular IoT toys could be hacked in a way that let strangers manipulate built-in voice modules to communicate with a child.

The report by Which?, supported by German consumer group Stiftung Warentest and a body of security experts, found that the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy and CloudPets toys were all susceptible to this hack.

The toys rely on Bluetooth connections to enable some of their features, including using a toy's voice to replay anything typed into a text box, but these were found to have been misconfigured and as a consequence could be easily hacked.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

These unsecure connections meant that researchers didn't need a password or a PIN to access the device and that very little technical know-how was needed to take control of the voice module.

Bluetooth is typically limited to a distance of 10 metres, meaning that any immediate threat is likely to be from someone nearby. However, the report highlights that the range could be extended and picked up by hackers further away, such as in a vehicle on a nearby road.

The Furby Connect, perhaps the most well-known toy on the list, was found to contain the Bluetooth flaw that let anyone within range connect to the toy. Researchers were then able to upload a custom audio file to the toy, which could be anything given the lack of restrictions, including inappropriate material.

Furby manufacturer Hasbro told Which? that it takes the report "very seriously", although it claimed that the discovered exploits would require someone to re-configure the device's firmware, something that would take expert knowledge.

The Toy-fi Teddy, which is available from Amazon and a number of other online retailers, allows children to send and receive recorded messages created using a smartphone or tablet app. It was found that hackers could send their own voice messages to the toy, and receive the replies from the child.

It was also found that hackers could take control of the voice unit in CloudPets toys that allowed them not only to talk to children, but even issue commands to a nearby Amazon Echo speaker.

Advertisement - Article continues below

This isn't the first time CloudPets has been accused of failing to protect its users. Earlier this year it was discovered that almost 2.2 million voice recordings created by children and stored on CloudPets toys had been leaked online. 

IT Pro has asked for comment from Spiral Toys, which makes the Toy-fi Teddy, and CloudPets, but the companies have yet to issue a comment on Which?'s report.

Argos, which sells the Furby Connect and I-Que Intelligent Robot, said in a statement to IT Pro: "We haven't received any complaints about these products but we are in close contact with the manufacturers, who are already looking into these recommendations."

The issue reflects a wider concern in the security industry that basic protections are being ignored in an effort to push out as many connected devices as possible.

Advertisement
Advertisement - Article continues below

Earlier this year, Symantec EMEA CTO Darren Thomson remarked that the security industry had so far "fundamentally failed" to educate people to the risks of IoT hacking and that the idea that end users would have the inclination to check their devices were secure was evidently flawed.

Which? has called for all connected toys with known privacy or security issues to be taken off sale before parents begin their Christmas shopping.

Advertisement - Article continues below

Alex Neill, managing director of home products at Which?, said: "You wouldn't let a young child play with a smartphone unsupervised and our investigation shows parents need to apply the same level of caution if considering giving a child a connect toy."

"While there is no denying the huge benefits these devices can bring to our daily lives, safety and security should be the absolute priority. If that can't be guaranteed, then the products should not be sold."

Picture: Stock image

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/security/33091/smart-home-device-manufacturers-must-do-more-to-protect-users-from-hacking
Security

Smart home device firms need to do more to prevent hacks

26 Feb 2019
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/network-internet/internet-of-things-iot/354408/amazon-apple-and-google-join-forces-on-voice-for
Internet of Things (IoT)

Amazon, Apple and Google join forces on voice for smart homes

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
Visit/policy-legislation/general-data-protection-regulation-gdpr/354577/data-protection-fines-hit-ps100m
General Data Protection Regulation (GDPR)

Data protection fines hit £100m during first 18 months of GDPR

20 Jan 2020