Your #children’s #connected toys can be #hacked, warn #experts

Many of this Christmas’ most popular children’s toys are vulnerable to hacking, a consumer watchdog has found.

Which? identified security issues with Furby Connect, I-Que Intelligent Robot, Toy-fi Teddy and CloudPets cuddly toys, which could allow adults to take control of the toy remotely and communicate with a child.

All four toys feature unsecured Bluetooth connections, meaning the security testers were not required to supply a password or PIN to gain access to the device.

The consumer body worked in conjunction with German watchdog Stiftung Warentet and third-party security experts to test seven different toys, four of which failed the test.

The failure of Furby Connect, a chattering electronic toy which connects to smartphone or tablet via Bluetooth, to ask for security features during pairing means anyone within 10-30 metres can connect to it.

Researchers were able to access the Furby using a laptop and upload an audio file to it, which the Furby was able to play back.

Such security vulnerabilities could technically allow hackers to speak to children at relatively close range.

Similarly, the security team were able to make the I-Que Intelligent Robot repeat phrases of their choosing by downloading the I-Que app, searching for a nearby device and typing into a text field. The robot then speaks the input text out loud.

A lack of secure Bluetooth authentifications also allowed the researchers to play recorded voice messages through cuddly CloudPets toys and Toy-fi Teddy.

Wowee Chip, a robot dog, also sported the same Bluetooth vulnerability, but the researchers were not able to use it to speak to a child, though they were able to remotely control it.

Fisher-Price’s Smart Toy Bear and Mattel’s Hello Barbie were also tested, and while Which? claims their results were not as concerning, it notes they have been the focus of hacking horror stories in the past.

A spokesperson for Hasbro, maker of Furby, said children’s privacy was a “top priority”. “That is why we carefully designed the Furby Connect toy and the Furby Connect World app to comply with children’s privacy laws. In support of this, we also engaged a third party to perform security testing on the Furby Connect toy and Furby Connect World app. We carefully reviewed the report, and take this very seriously.”

The company said it was confident the combination of close proximity to the toy, engineering  it, creating new firmware and then updating the firmware would make the likelihood of hacking extremely low.

A spokesperson for Vivid Imaginations, i-Que’s maker, said the company was aware of recent reports on connected toys which raised security issues.

“While some of these reports highlight potential vulnerability in the products, there have been no reports of these products being used in a malicious way,” they said. “While it may be technically possible for a third party (someone other than the intended user) to connect to the toys, it requires certain sequence of events to happen in order to pair a Bluetooth device to the toy, all of which make it difficult for the third party to remotely connect to the toy.

“Your technical recommendations to add Bluetooth authentication as a firmware update to the toy and app would need to be reviewed and, if feasible, implemented by Genesis [the toy’s manufacturer]. We will actively pursue this matter with them directly.”

Cloud Pets & Toy Fi – Spiral Toys declined to comment.