Call to ban sale of IoT toys with proven security flaws

Call to ban sale of IoT toys with proven security flaws

"Connected toys are becoming increasingly popular, but as our investigation shows, anyone considering buying one should apply a level of caution", said Alex Neill, managing director of home products and services at Which?, according to BBC.

Which? has revealed that the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy and CloudPets toys were all susceptible to this hack.

CONSUMER WATCHDOG Which? has warned parents to keep security-unaware connected toys away from their children this Christmas.

In the case of the Furby, Which?'s external security researchers also thought it would be possible for someone to re-engineer its firmware to turn the toy into a listening device due to a vulnerability they found in the toy's design (which it's not publicly disclosing).

Which? also tested Wowee Chip, Mattel Hello Barbie, and Fisher Price's Smart Toy Bear but couldn't find evidence that these toys had any security issues.

But Vivid Imaginations, which distributes the i-Que Intelligent Robot, said: "There have been no reports of these products being used in a malicious way".

"While there is no denying the huge benefits these devices can bring to our daily lives, safety and security should be the absolute priority".

The product testing firm said "very little technical know-how" is needed to access the toys, which are created to allow children to send and receive messages.

Call to ban sale of IoT toys with proven security flaws

The toys rely on Bluetooth connections to enable some of their features, including using a toy's voice to replay anything typed into a text box, but these were found to have been misconfigured and as a effect could be easily hacked.

That's something that's especially concerning when kids' toys are involved, and Which? has asked retailers to stop selling the ones that have "proven" problems where security is concerned.

Which? found that anyone can play voice messages through both products after connecting through Bluetooth, with the teddy even allowing children to send responses. The Bluetooth feature lacks any authentication protection, however, meaning hackers can send voice messages to a child and receive answers back.

"We feel confident in the way we have designed both the toy and the app to deliver a secure play experience", a Hasbro spokeswoman said in an email. A kitten version of CloudPets was previously hacked and made to order its own cat food from a nearby Amazon Echo, and a researcher was able to hack into the toy from outside the street.

"A tremendous amount of engineering would be required to reverse engineer the product as well as to create new firmware".

Spiral Toys declined to comment to Which? in relation to Toy-Fi Teddy and Cloud Pets.

"We are aware of the Which? report, but understand the circumstances in which these investigations have taken place rely on a ideal set of circumstances and manipulation of the toys and the software that make the outcome highly unlikely in reality".

Big Papa: Pope gets white-and-yellow Lamborghini
This photo was taken Wednesday at the Vatican as Pope Francis was gifted with a special edition Lamborgini Huracan. However, considering the pope's blessing and signature, it's expected to sell for far more.

Related Articles