View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Networks
November 14, 2017updated 25 Jul 2022 6:47am

IoT threats put Christmas toys on the naughty list

Which? warns IoT devices must become more secure or be removed from shelves ahead of the festive season.

By April Slattery

Connected children’s toys using Bluetooth, Wi-Fi and mobile apps may do more harm than good following some worrying revelations from Which?

Hack tests were carried out by the consumer watchdog as part of research aiming to demonstrate the vulnerability of smart toys as a result of insecure connections.

The report revealed that four out of seven of the most popular internet of things (IoT) devices could be hacked by imposters manipulating insecure connections, potentially allowing strangers to communicate with children.

Most smart toys rely on Bluetooth connections to enable functionality, with Which? finding these toys to be the most insecure due to the lack of authentication processes, such as passwords.

Bluetooth does have a 10 metre limit to its range; however this in itself brings concerns to parents as it means immediate threats to their child are likely to be from someone in close proximity.

Furthermore, the findings highlight that the range of Bluetooth could be extended and picked up by hackers further afield, such as in a vehicle down the road.

Out of all the devices, probably the most known is the Furby Connect which was found to contain a flaw that let anyone with the range of the device connect to it. Researchers then ‘hacked’ the device and inserted an audio file to the toy, which could contain any malicious material including inappropriate content.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

In response to the report findings the maker of Furby Connect, Hasbro, said: “We feel confident in the way we have designed both the toy and the app to deliver a secure play experience. The toy and app were not designed to collect users’ name, address or permit users to create profiles to allow Hasbro to personally identify them.”

Other common toys found to have security flaws also included Amazon’s Toy-Fi Teddy, which allows children to send and receive recorded messages using a smartphone or tablet application. Hackers were able to very easily tap into the device and send their own messages to the toy, receiving replies from the child.

Further problems came with Amazon devices as hackers took control of  the voice unit in CloudPets, which enabled them to not only communicate with children buy give commands to Amazon Echo devices.

Intel gives a helping hand in security for IoT
Alibaba invests billions into IoT
Almost three quarters UK IoT consumers fear hackers

Following the research, Which? urged manufacturers to make children’s smart toys more secure ahead of Black Friday and Christmas. If security is not improved, the company suggests removing the products from shelves in order to protect children.

Alex Neill, Which? Managing Director of Home Products and Services, said:

“Connected toys are becoming increasingly popular, but as our investigation shows, anyone considering buying one should apply a level of caution.

“Safety and security should be the absolute priority with any toy. If that can’t be guaranteed, then the products should not be sold.”

Topics in this article : , , ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.