Connected toys have 'worrying' security issues

Postado Novembro 14, 2017

Warn them to tell you about any messages they receive from strangers at any time.

They found that there is no authentication required to link some toys with devices via Bluetooth.

Many of this Christmas' most popular children's toys are vulnerable to hacking, a consumer watchdog has found.

In each of the aforementioned toys, the Bluetooth connection had not been secured, meaning hackers didn't need a password to gain access.

The I-Que Intelligent Robot, has previously featured on Hamleys top toys Christmas list and is available from Argos and Hamleys.

The brightly coloured talking robot uses Bluetooth to pair with a phone or tablet through an app, but the connection is unsecured.

Experts discovered that anyone can download the app, find an i-Que within Bluetooth range and start chatting using the robot's voice by typing into a text field.

"Sadly, there have been many examples in the past two to three years of connected toys that have security flaws that put children at risk", he said.

Researchers were able to access the Furby using a laptop and upload an audio file to it, which the Furby was able to play back.

CloudPets toys, on sale at Amazon, are stuffed animals that enable friends to send a child messages that are played on a built-in speaker.

Which? found someone could hack the toy via its unsecured Bluetooth connection and make it play their own voice messages. Which? found the Bluetooth connection lacked any authentication protections, meaning hackers could send voice messages to a child and receive answers.

The consumer body worked in conjunction with German watchdog Stiftung Warentet and third-party security experts to test seven different toys, four of which failed the test.

"Safety and security should be the absolute priority with any toy. If that can't be guaranteed, then the products should not be sold".

Vivid Imagination, who produce the I-Que robot, said that they would review Which?'s claims, but insisted that they had never received reports of the toys "being used in a malicious way". "While it may be technically possible for a third party (someone other than the intended user) to connect to the toys, it requires certain sequence of events to happen in order to pair a Bluetooth device to the toy, all of which make it hard for the third party to remotely connect to the toy".

Vivid said it would be speaking to Genesis about improving security on the robot. "That is why we carefully designed the Furby Connect toy and the Furby Connect World app to comply with children's privacy laws". The company insisted it would be hard to hack the toy.

Hasbro, which makes the Furby Connect, said in a statement that it believed the results of the tests carried out for Which? had been achieved in very specific conditions.

"A tremendous amount of engineering would be required to reverse-engineer the product as well as to create new firmware", it said.

The Register has contacted Spiral Toys, manufacturers of CloudPets and Toy-Fi Teddy, for comment.