Bluetooth-enabled toys feature major security flaws, finds Which? study

Consumer rights firm Which? has warned of serious security loopholes in popular Bluetooth-enabled toys that can be exploited by anyone to communicate remotely with a child.

Which? has highlighted security flaws in Bluetooth-enabled toys like the Furby Connect, I-Que Intelligent Robot, Toy-fi Teddy, and CloudPets.

A report released by Which? has highlighted security flaws associated with each of these Bluetooth-enabled toys and what their makers are going to do about them. According to the firm, unless such flaws are patched, such toys can pose a big risk to your child's safety.

The report included details of tests conducted by various security experts on these toys as well as recommendations on how such loopholes can be patched. For example, the I-Que Intelligent Robot, which is being sold by Argos and Hamleys, uses Bluetooth to pair with a phone or tablet over an unsecured connection which can be exploited by anyone in the vicinity.

YOU MAY ALSO LIKE:

Similarly, Furby Connect, which is sold by Argos, Amazon, Toys R Us and Smyths, uses no security features while pairing with other Bluetooth devices, including laptops, thereby allowing anyone within its range to remotely communicate with a child.

'In all cases, it was found to be far too easy for someone to use the toy to talk to a child,' Which? noted.

Both Vivid Toys and Hasbro, respective makers of the I-Que Intelligent Robot and the Furby Connect, said that they are 'very serious' about the security of their Bluetooth-enabled toys and that they would study the recommendations from Which? and make appropriate changes.

However, Hasbro added that the vulnerability pointed out by Which? would require someone to be in close proximity to the toy and posses the technical knowledge to re-engineer the firmware.

‘We feel confident in the way we have designed both the toy and the app to deliver a secure play experience. The Furby Connect toy and Furby Connect World app were not designed to collect users’ name, address, online contact information (eg, user name, email address, etc.) or to permit users to create profiles to allow Hasbro to personally identify them, and the experience does not record your voice or otherwise use your device’s microphone,' the firm added.

The environment in which such tests were conducted also required Bluetooth-enabled toys that were not protected by passwords. If parents add passwords to such devices, then such flaws would cease to exist.

However, a range of Bluetooth-enabled toys named CloudPets features serious security issues that allow malicious actors to hack them and make them play their own voice messages. A kitten version of CloudPets was previously hacked and made to order its own cat food from a nearby Amazon Echo, and a researcher was able to hack into the toy from outside the street.

'These connected toys all have security issues, but this is just the tip of a very worrying iceberg. Other countries have started to act to ensure children are kept safe, we’d like the UK to follow suit,' said Which?

Deral Heiland, IoT Research Lead at Rapid7, told TEISS that in order to facilitate a plug-and-play experience and to make functionality simple, toy-makers are implementing Bluetooth and Bluetooth low energy connectivity in Bluetooth-enabled toys without adequate security.

'I am of the belief we can have both [usability and security], but consumers must face the fact that better security such as improved communication protections will add more complexity to the products, but if well designed and properly communicated, then the complexity should be minimal, making it possible for us have better-secured products which are easy to operate and maintain,' he added.