Hackers can 'talk to your children' through connected toys

Four out of seven IoT toys use insecure Bluetooth connections - report

New research has found that many leading internet-enabled toys contain security flaws that allow hackers to talk directly to a child, prompting calls for retailers to pull affected products from the shelves before the Christmas rush.

Tests revealed that four out of seven of some of the most popular IoT toys could be hacked in a way that let strangers manipulate built-in voice modules to communicate with a child.

The report by Which?, supported by German consumer group Stiftung Warentest and a body of security experts, found that the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy and CloudPets toys were all susceptible to this hack.

The toys rely on Bluetooth connections to enable some of their features, including using a toy's voice to replay anything typed into a text box, but these were found to have been misconfigured and as a consequence could be easily hacked.

Advertisement
Advertisement - Article continues below

These unsecure connections meant that researchers didn't need a password or a PIN to access the device and that very little technical know-how was needed to take control of the voice module.

Bluetooth is typically limited to a distance of 10 metres, meaning that any immediate threat is likely to be from someone nearby. However, the report highlights that the range could be extended and picked up by hackers further away, such as in a vehicle on a nearby road.

The Furby Connect, perhaps the most well-known toy on the list, was found to contain the Bluetooth flaw that let anyone within range connect to the toy. Researchers were then able to upload a custom audio file to the toy, which could be anything given the lack of restrictions, including inappropriate material.

Furby manufacturer Hasbro told Which? that it takes the report "very seriously", although it claimed that the discovered exploits would require someone to re-configure the device's firmware, something that would take expert knowledge.

The Toy-fi Teddy, which is available from Amazon and a number of other online retailers, allows children to send and receive recorded messages created using a smartphone or tablet app. It was found that hackers could send their own voice messages to the toy, and receive the replies from the child.

It was also found that hackers could take control of the voice unit in CloudPets toys that allowed them not only to talk to children, but even issue commands to a nearby Amazon Echo speaker.

This isn't the first time CloudPets has been accused of failing to protect its users. Earlier this year it was discovered that almost 2.2 million voice recordings created by children and stored on CloudPets toys had been leaked online. 

IT Pro has asked for comment from Spiral Toys, which makes the Toy-fi Teddy, and CloudPets, but the companies have yet to issue a comment on Which?'s report.

Argos, which sells the Furby Connect and I-Que Intelligent Robot, said in a statement to IT Pro: "We haven't received any complaints about these products but we are in close contact with the manufacturers, who are already looking into these recommendations."

The issue reflects a wider concern in the security industry that basic protections are being ignored in an effort to push out as many connected devices as possible.

Advertisement
Advertisement - Article continues below

Earlier this year, Symantec EMEA CTO Darren Thomson remarked that the security industry had so far "fundamentally failed" to educate people to the risks of IoT hacking and that the idea that end users would have the inclination to check their devices were secure was evidently flawed.

Which? has called for all connected toys with known privacy or security issues to be taken off sale before parents begin their Christmas shopping.

Alex Neill, managing director of home products at Which?, said: "You wouldn't let a young child play with a smartphone unsupervised and our investigation shows parents need to apply the same level of caution if considering giving a child a connect toy."

"While there is no denying the huge benefits these devices can bring to our daily lives, safety and security should be the absolute priority. If that can't be guaranteed, then the products should not be sold."

Picture: Stock image

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/security/33091/smart-home-device-manufacturers-must-do-more-to-protect-users-from-hacking
Security

Smart home device firms need to do more to prevent hacks

26 Feb 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/business/business-strategy/354195/where-modernisation-and-sustainability-meet-a-tale-of-two
Sponsored

Where modernisation and sustainability meet: A tale of two benefits

25 Nov 2019