Complete strangers may be able to message or directly talk to your kids thanks to security flaws in some popular toys, experts warn.
Consumer groups are calling on retailers to take these “connected” or “intelligent” toys, which could put children’s safety at risk, off the shelves immediately.
Security researchers teamed up with German consumer group Stiftung Warentest and product comparison website Which? to conduct a safety review of toys that could be on your kids’ must-have list this Christmas.
Flaws were found in a range of Bluetooth and Wi-Fi-enabled toys, allowing strangers to potentially communicate with a child, warn the researchers in a report.
“That person would need hardly any technical know-how to ‘hack’ your child’s toy,” they caution in the report.
Security failures turned up in the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy, and CloudPets. Specifically, the Bluetooth connection was not secured in any of these toys, so researchers did not need a password, pin, or any other authentication to gain access to them.
However, since the range of Bluetooth is typically limited to about 32 feet, the main concern would be individuals with malicious intent in the child’s immediate vicinity.
As toy makers outdo one another in the race to pack ever more tech-enhanced features into their toys, including Wi-Fi and Bluetooth connectivity, regulators are trying to keep up to reduce the risk of exploitation.
Earlier this year, German regulators banned smart doll My Friend Cayla, classifying it as a “surveillance device.”
Hasbro, maker of Furby Connect, one of the toys identified in the Which? report, says the company takes children’s security very seriously, but that it is highly unlikely that their toy would actually be manipulated.
“While the researchers at Which? identified ways to manipulate the Furby Connect toy, we believe that doing so would require close proximity to the toy, and that there are a number of very specific conditions that would all need to be satisfied in order to achieve the result described by the researchers at Which?, including reengineering the Furby Connect toy, creating new firmware and then updating the firmware, which requires being within Bluetooth range while the Furby Connet toy is in a ‘woke’ state,” Julie Duffy, senior vice president of global communications, told CNET. “A tremendous amount of engineering would be required to reverse engineer the product as well as to create new firmware.”
Earlier this year, the FBI warned parents in an advisory that tech-enhanced toys could spy on their little ones.
“These toys typically contain sensors, microphones, cameras, data storage components, and other multimedia capabilities—including speech recognition and GPS options,” the agency wrote in the advisory, cautioning that certain toys could be hacked to record video and audio of children without their parents’ knowledge.
The FBI suggests that adults research any Wi-Fi or Bluetooth-enabled toys before giving them to a child; and that if they do have them, to take proper measures to secure them.
This could mean using pins or passcodes when pairing devices and encryption for any data that is transmitted. It also suggests that parents research if data collected from these toys is being stored by a third party, and to update the toys’ software and/or firmware with security patches as they become available.