Ahead of 2017’s present buying season, UK consumer rights group Which?[1] has warned parents about the risks of giving connected toys to their children, and called for devices with known security and/or privacy risks to be banned from sale on kids safety grounds.
Working with security researchers the group has spent the past 12 months investigating several popular Bluetooth or wi-fi toys that are on sale at major retailers, and says it found “concerning vulnerabilities” in several devices that could “enable anyone to effectively talk to a child through their toy”.
It’s published specific findings[2] on four of the toys it looked at: Namely the Furby Connect; I-Que Intelligent Robot; Toy-fi Teddy; and CloudPets cuddly toy.
The latter toy drew major criticism from security experts[3] in February when it was discovered that its maker had stored thousands of unencrypted voice recordings of kids and parents using the toy in a publicly accessible online database — with no authentication required to access the data. (Data was subsequently deleted and ransomed.)
Which? says in all cases it was found to be far too easy for someone to illicitly pair their own device to the toys and use the tech to talk to a child. It especially highlights Bluetooth connections not having been properly secured — noting for example there was no requirement for a user to enter a password, PIN code or any other authentication to gain access.
“That person would need hardly any technical know-how to ‘hack’ your child’s toy,” it writes. “Bluetooth has a range limit, usually 10 meters, so the immediate concern would be someone with malicious intentions nearby. However, there are methods for extending Bluetooth range, and it’s possible someone could...