Hackers can 'talk to your children' through connected toys

Four out of seven IoT toys use insecure Bluetooth connections - report

New research has found that many leading internet-enabled toys contain security flaws that allow hackers to talk directly to a child, prompting calls for retailers to pull affected products from the shelves before the Christmas rush.

Tests revealed that four out of seven of some of the most popular IoT toys could be hacked in a way that let strangers manipulate built-in voice modules to communicate with a child.

The report by Which?, supported by German consumer group Stiftung Warentest and a body of security experts, found that the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy and CloudPets toys were all susceptible to this hack.

The toys rely on Bluetooth connections to enable some of their features, including using a toy's voice to replay anything typed into a text box, but these were found to have been misconfigured and as a consequence could be easily hacked.

These unsecure connections meant that researchers didn't need a password or a PIN to access the device and that very little technical know-how was needed to take control of the voice module.

Bluetooth is typically limited to a distance of 10 metres, meaning that any immediate threat is likely to be from someone nearby. However, the report highlights that the range could be extended and picked up by hackers further away, such as in a vehicle on a nearby road.

The Furby Connect, perhaps the most well-known toy on the list, was found to contain the Bluetooth flaw that let anyone within range connect to the toy. Researchers were then able to upload a custom audio file to the toy, which could be anything given the lack of restrictions, including inappropriate material.

Furby manufacturer Hasbro told Which? that it takes the report "very seriously", although it claimed that the discovered exploits would require someone to re-configure the device's firmware, something that would take expert knowledge.

The Toy-fi Teddy, which is available from Amazon and a number of other online retailers, allows children to send and receive recorded messages created using a smartphone or tablet app. It was found that hackers could send their own voice messages to the toy, and receive the replies from the child.

It was also found that hackers could take control of the voice unit in CloudPets toys that allowed them not only to talk to children, but even issue commands to a nearby Amazon Echo speaker.

This isn't the first time CloudPets has been accused of failing to protect its users. Earlier this year it was discovered that almost 2.2 million voice recordings created by children and stored on CloudPets toys had been leaked online. 

IT Pro has asked for comment from Spiral Toys, which makes the Toy-fi Teddy, and CloudPets, but the companies have yet to issue a comment on Which?'s report.

Argos, which sells the Furby Connect and I-Que Intelligent Robot, said in a statement to IT Pro: "We haven't received any complaints about these products but we are in close contact with the manufacturers, who are already looking into these recommendations."

The issue reflects a wider concern in the security industry that basic protections are being ignored in an effort to push out as many connected devices as possible.

Earlier this year, Symantec EMEA CTO Darren Thomson remarked that the security industry had so far "fundamentally failed" to educate people to the risks of IoT hacking and that the idea that end users would have the inclination to check their devices were secure was evidently flawed.

Which? has called for all connected toys with known privacy or security issues to be taken off sale before parents begin their Christmas shopping.

Alex Neill, managing director of home products at Which?, said: "You wouldn't let a young child play with a smartphone unsupervised and our investigation shows parents need to apply the same level of caution if considering giving a child a connect toy."

"While there is no denying the huge benefits these devices can bring to our daily lives, safety and security should be the absolute priority. If that can't be guaranteed, then the products should not be sold."

Picture: Stock image

Featured Resources

Unleashing the power of AI initiatives with the right infrastructure

What key infrastructure requirements are needed to implement AI effectively?

Download now

Achieve today. Plan tomorrow. Making the hybrid multi-cloud journey

A Veritas webinar on implementing a hybrid multi-cloud strategy

Download now

A buyer’s guide for cloud-based phone solutions

Finding the right phone system for your modern business

Download now

The workers' experience report

How technology can spark motivation, enhance productivity and strengthen security

Download now

Recommended

What is e-safety?
e safety

What is e-safety?

27 Jan 2021
Your essential guide to internet security
Security

Your essential guide to internet security

27 Jan 2021
Mimecast links breach to SolarWinds hackers
Security

Mimecast links breach to SolarWinds hackers

27 Jan 2021
TikTok vulnerability exposed private user data
data protection

TikTok vulnerability exposed private user data

26 Jan 2021

Most Popular

WhatsApp could face €50 million GDPR fine
General Data Protection Regulation (GDPR)

WhatsApp could face €50 million GDPR fine

25 Jan 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

12 Jan 2021