Thursday, 19 July 2018
Latest news
Main » Hacking fears over cuddly toys with Bluetooth

Hacking fears over cuddly toys with Bluetooth

14 November 2017

A number of "smart" toys expected to be top sellers this Christmas have "concerning vulnerabilities" that could be exploited by hackers, a consumer group has warned.

Researchers were able to access the Furby using a laptop and upload an audio file to it, which the Furby was able to play back.

Which? found that there was no authentication required between the toys and the devices they could link with via Bluetooth.

Many Christmas wishlist items, including the Furby Connect, I-Que Intelligent Robot, Toy-fi Teddy and CloudPets cuddly toy, can be manipulated, it is alleged.

An investigation found that a would-be hacker needed no password and little technical knowledge to gain access to the toys and to start sharing messages with a child, which in some cases could be heard through a loudspeaker built into the toy.

More news: Android Oreo will soon save some storage space due to inactive apps

These steps included redesigning the toy's firmware and then uploading it within Bluetooth range.

Which? found the Bluetooth connection lacked any authentication protections, meaning hackers could send voice messages to a child and receive answers.

Popular toys that use Bluetooth can be easily hacked to enable strangers to talk to a child and should be removed from shops immediately, experts claim.

Which? found that the Bluetooth connection on the four toys had not been secured.

"While there is no denying the huge benefits these devices can bring to our daily lives, safety and security should be the absolute priority".

More news: French skier dies during training in Canada

I-Que maker Vivid Imaginations said there had been no reports of any malicious use of its products, but it would be reviewing Which?'s findings.

Alex Neill, managing director of home products at Which?, said: "You wouldn't let a young child play with a smartphone unsupervised and our investigation shows parents need to apply the same level of caution if considering giving a child a connect toy". "If that can't be guaranteed, then the products should not be sold". It said: "While it may be technically possible for someone other than the intended user to connect to the toys, it requires certain sequence of events to happen in order to pair a Bluetooth device to the toy, all of which make it hard for the third party to remotely connect to the toy".

Which? is now putting its foot down and is calling for all connected toys with proven security or privacy issues to be taken off sale, citing the example of the German "Cayla" doll being yanked from shelves after it was revealed that it records children's conversations and uploads them to the cloud.

IT Pro has asked for comment from Spiral Toys, which makes the Toy-fi Teddy, and CloudPets, but the companies have yet to issue a comment on Which?'s report.

More news: Cyclist who showed Trump 'middle finger' is showered with money

Hacking fears over cuddly toys with Bluetooth