A number of "smart" toys expected to be top sellers this Christmas have "concerning vulnerabilities" that could be exploited by hackers, a consumer group has warned.
Researchers were able to access the Furby using a laptop and upload an audio file to it, which the Furby was able to play back.
Which? found that there was no authentication required between the toys and the devices they could link with via Bluetooth.
Many Christmas wishlist items, including the Furby Connect, I-Que Intelligent Robot, Toy-fi Teddy and CloudPets cuddly toy, can be manipulated, it is alleged.
An investigation found that a would-be hacker needed no password and little technical knowledge to gain access to the toys and to start sharing messages with a child, which in some cases could be heard through a loudspeaker built into the toy.More news: Trump Asks China's President To Help Resolve UCLA Shoplifting Case
These steps included redesigning the toy's firmware and then uploading it within Bluetooth range.
Which? found the Bluetooth connection lacked any authentication protections, meaning hackers could send voice messages to a child and receive answers.
Popular toys that use Bluetooth can be easily hacked to enable strangers to talk to a child and should be removed from shops immediately, experts claim.
Which? found that the Bluetooth connection on the four toys had not been secured.
"While there is no denying the huge benefits these devices can bring to our daily lives, safety and security should be the absolute priority".More news: Sensex down by 281 pts, 3-week-low
I-Que maker Vivid Imaginations said there had been no reports of any malicious use of its products, but it would be reviewing Which?'s findings.
Alex Neill, managing director of home products at Which?, said: "You wouldn't let a young child play with a smartphone unsupervised and our investigation shows parents need to apply the same level of caution if considering giving a child a connect toy". "If that can't be guaranteed, then the products should not be sold". It said: "While it may be technically possible for someone other than the intended user to connect to the toys, it requires certain sequence of events to happen in order to pair a Bluetooth device to the toy, all of which make it hard for the third party to remotely connect to the toy".
Which? is now putting its foot down and is calling for all connected toys with proven security or privacy issues to be taken off sale, citing the example of the German "Cayla" doll being yanked from shelves after it was revealed that it records children's conversations and uploads them to the cloud.
IT Pro has asked for comment from Spiral Toys, which makes the Toy-fi Teddy, and CloudPets, but the companies have yet to issue a comment on Which?'s report.More news: Cut-off date set to spend old £10 notes
- Marcus Rashford: I'm trying to model my game on Brazil's Ronaldo
- 4th person shot dead in Tampa neighborhood
- Everton have £8.5m move for Silva rejected by Watford
- Dawood Ibrahim's Mumbai Properties Auctioned For Over 11 Crores, Includes Hotel
- 9th Circuit partly allows third travel ban to take effect
- French skier dies during training in Canada
- Week 10 game grades: Minnesota Vikings vs. Washington Redskins
- GI tag says West Bengal is where the 'rosogolla' originated
- Jimmy Fallon pays tearful tribute to his mother
- Honor V10 to launch in China on November 28