Connected toys have ‘worrying’ security issues

Girl feeding a dollImage source, Thinkstock
Image caption,

The security services have warned about the dangers of toys being exploited by malicious hackers

Consumer watchdog Which? has called on retailers to stop selling some popular toys it says have "proven" security issues.

Those toys include Furby Connect, the i-Que robot, Cloudpets and Toy-fi Teddy.

Which? found that there was no authentication required between the toys and the devices they could link with via Bluetooth.

Two of the manufacturers said they took security very seriously.

Sloppy security

The lack of authentication meant that, in theory, any device within physical range could link to the toy and take control or send messages, the watchdog said.

"Connected toys are becoming increasingly popular, but as our investigation shows, anyone considering buying one should apply a level of caution," said Alex Neill, managing director of home products and services at Which?

"Safety and security should be the absolute priority with any toy. If that can't be guaranteed, then the products should not be sold."

Hasbro, which makes the Furby Connect, said in a statement that it believed the results of the tests carried out for Which? had been achieved in very specific conditions.

Media caption,

Rory Cellan-Jones sees how Cayla, a talking child's doll, can be hacked to say any number of offensive things.

"A tremendous amount of engineering would be required to reverse-engineer the product as well as to create new firmware," it said.

"We feel confident in the way we have designed both the toy and the app to deliver a secure play experience."

I-Que maker Vivid Imagination said there had been "no reports of these products being used in a malicious way" but added that it would review Which?'s recommendations.

Spiral Toys, which makes Cloudpets and Toy Fi, did not comment.

Other toys tested by Which? included the Wowee Chip, Mattel Hello Barbie and Fisher Price Smart Toy Bear - but these were not found to have serious security concerns.

Cyber-security expert Prof Alan Woodward, from Surrey University, told the BBC it was a "no brainer" that toys with security issues should not be put on sale.

"Sadly, there have been many examples in the past two to three years of connected toys that have security flaws that put children at risk," he said.

"Whether it is sloppiness on the part of the manufacturer, or their rush to build a product down to a certain price, the consequences are the same.

"To produce these toys is bad enough, but to then stock them as a retailer knowing that they are potentially putting children at risk is quite unacceptable."