Security Concerns in Connected Toys

Internet-connected toys may be precious items for children, but they may as well pose a very serious security threat to them. Connected toy security concerns began to grab headlines in late 2015, when VTech, a toy manufacturer, announced that one of its databases has been hacked. This security breach led to the exposure of names, ages and genders of more than 6 million children who had toys produced by the manufacturer.

The security of these toys has been put in the limelight since then, and now consumer watchdog Which? Has raised some serious concern about particular toys. They have even gone ahead and warned parents to get rid of or deactivate the systems of these toys, which are expected to be in more demand during the Christmas period.

Questionable Bluetooth Security

Which? Carried out some tests together with German Consumer group Stiftung Warentest alongside other security experts and ethical hackers, and they found major flaws in the Bluetooth enabled toys. The toys that raised concern due to their insecurity were Furby Connect, the i-Que robot, Cloudpets and Toy-fi Teddy.

These four were picked from a sample of seven toys, and the primary concern was the lack of security in Bluetooth connection. This means that during their tests, the researchers didn’t even need any password, pin or authentication of whatever sort to get into the system of a toy. Neither did this process need any technical know-how, a factor that makes the threat even bigger.

This lack of Bluetooth security can allow strangers to easily hack into the system of a toy and start sharing messages or talking to a child.

Furby Connect

The Furby Connect

The Furby Connect toy could be easily connected to any Bluetooth device within a range of 10-30 meters. After that, one can control the toy system.

For the i-Que Intelligent Robot, one only needs to download the app, search for an i-Que within their range or go near the targeted robot toy, and then start using the robot’s voice by typing into a text field. The i-Que Intelligent Robot is from the same manufacturer as My Friend Cayla, a toy that was recently banned in Germany due to its security and hacking concerns. Both are made by Genesis, an American toy manufacturer, and distributed in the UK by Vivid.

Cloudpets toys allow friends to send messages to a child. This message is then played via the inbuilt speaker. However, their connection also doesn’t require any authentication. This opens the door for anyone, whether good or ill-willed, to send any messages they like to your child.

The Toy Fi Teddy

Toy-Fi Teddy were the other toys highlighted, and they are also meant to allow a child receive messages over Bluetooth using either a smartphone or a tablet app. Which? Found that the Bluetooth of these toys is also not secured, making it possible for strangers to send messages to your child.

Exercise Caution

According to Alex Neill, the managing director of home products and services at Which?, one should be very considerate when buying intelligent toys for their children.

“Connected toys are becoming increasingly popular, but as our investigation shows, anyone considering buying one should apply a level of caution,” “Safety and security should be the absolute priority with any toy. If that can’t be guaranteed, then the products should not be sold.”

After identifying these security flaws, Which? took the initiative and urged retailers to stop selling connected toys that have now or in the past raised security concerns. 

Argos, which avails i-Que Intelligent Robot in the UK said in a statement:

“The safety of the products we sell is extremely important to us. We haven’t received any complaints about these products but we are in close contact with the manufacturers, who are already looking into [these] recommendations.”

Hasbro, which makes the Furby Connect, said:

“Children’s privacy is a top priority, and that is why we carefully designed the Furby Connect and the Furby Connect World app to comply with children’s privacy laws. We feel confident in the way we have designed both the toy and the app to deliver a secure play experience.”

The British Toy and Hobby Association, of which Vivid and Hasbro are members, said:

“The industry takes its responsibilities incredibly seriously when making products for children, with BTHA members investing heavily in everything from toy safety to data privacy and online security. “

“We are aware of the Which? report, but understand the circumstances in which these investigations have taken place rely on a perfect set of circumstances and manipulation of the toys and the software that make the outcome highly unlikely in reality.”

Spiral Toys, which makes Cloudpets and Toy Fi, did not comment.

The other toys that Which? tested were the Wowee Chip, Mattel Hello Barbie and Fisher Price Smart Toy Bear. These were found to have no serious security concerns.

Cyber-security expert Prof Alan Woodward, from Surrey University also commented on the issue. He told BBC that it was a “no brainer” that toys with security issues should not be put on sale.

“Sadly, there have been many examples in the past two to three years of connected toys that have security flaws that put children at risk,” he said.“

“Whether it is sloppiness on the part of the manufacturer, or their rush to build a product down to a certain price, the consequences are the same.“

“To produce these toys is bad enough, but to then stock them as a retailer knowing that they are potentially putting children at risk is quite unacceptable.“

More Calls for Concern

This week, the FBI has also warned parents that toys which have access to the internet pose privacy and “contact concerns” for children. On Monday 13th, they released a public service announcements (PSA) about the issue. In the statement, they stated that sensors such as camera, microphones, and GPS that are used in smart toys raise a concern for the “privacy and physical safety” of children.

In the statement, they warned that

“These features could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed.“

“The collection of a child’s personal information combined with a toy’s ability to connect to the internet or other devices raises concerns for privacy and physical safety.”

“Additionally, the potential misuse of sensitive data such as GPS location information, visual identifiers from pictures or videos, and known interests to garner trust from a child could present exploitation risks.“

This is a major point of concern and therefore calls upon all parents to exercise caution when buying toys for their kids. Maybe time to go for a less hi-tech toy?

VPN Adviser
VPN Adviser

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.