The consumer testing and advice website uncovered “concerning vulnerabilities” in several connected toys, including Furby and Cloudpets, which could enable a stranger to talk to a child.
They are now calling for retailers to stop selling these toys until the security issues are addressed.
“Connected toys are becoming increasingly popular, but as our investigation shows, anyone considering buying one should apply a level of caution,” said
Alex Neill, Which? managing director of home products and services.
“Safety and security should be the absolute priority with any toy. If that can’t be guaranteed, then the products should not be sold.”
In collaboration with German consumer group Stiftung Warentet, Which? tested connected toys on sale at major retailers.
The investigation found that people could use a toy to communicate with a child in four out of the seven devices tested.
It revealed “worrying security failures” with the Furby, I-Que Intelligent Robot, Toy-fi Teddy and CloudPets cuddly toy.
The Which? report stated: “In each of the toys, the Bluetooth connection had not been secured, meaning during the tests the hacker didn’t need a password, PIN code or any other authentication to get access.
“In addition, very little technical know-how was needed to gain access to the toys to start sharing messages with a child.”
What toys could be hacked?
Which? detailed the four toys that could be hacked, where they were available and details of the security issues.
1. Furby Connect.
“Available at Argos, Amazon, Smyths and Toys R Us. Anyone within a 10-30 metre Bluetooth range can connect to the toy when it’s switched on, with no physical interaction required. This is because it does not use any security features when pairing. Plus, you can make the connection via a laptop, opening up more opportunities to control the toy. Our security experts were able to upload and play a custom audio file on the Furby.”
Toy manufacturer Hasbro responded: “At Hasbro, children’s privacy is a top priority, and that is why we carefully designed the Furby Connect toy and the Furby Connect World app to comply with children’s privacy laws.
“In support of this, we also engaged a third party to perform security testing on the Furby Connect toy and Furby Connect World app. We carefully reviewed the report, and take this very seriously.
“While the researchers at Which? identified ways to manipulate the Furby Connect toy, we believe that doing so would require close proximity to the toy, and that there are a number of very specific conditions that would all need to be satisfied in order to achieve the result described by the researchers at Which?, including reengineering the Furby Connect toy, creating new firmware, and then updating the firmware, which requires being within Bluetooth range while the Furby Connect toy is in a “woke” state. A tremendous amount of engineering would be required to reverse engineer the product as well as to create new firmware.
“We feel confident in the way we have designed both the toy and the app to deliver a secure play experience. The Furby Connect toy and Furby Connect World app were not designed to collect users’ name, address, online contact information (e.g. username, email address, etc.) or to permit users to create profiles to allow Hasbro to personally identify them, and the experience does not record your voice or otherwise use your device’s microphone.”
2. The I-Que Intelligent Robot.
“Previously featured on Hamleys top toys Christmas list and available from Argos and Hamleys. This talking robot uses Bluetooth to pair with a phone or tablet through an app, but the connection is unsecured. Which?’s investigation discovered that anyone can download the app, find an i-Que within Bluetooth range and start chatting using the robot’s voice by typing into a text field. The toy is made by Genesis Toys, the same manufacturer as the Cayla doll which was recently banned in Germany due to security and hacking concerns.”
Toy manufacturer of i-Que, Vivid Imaginations, responded: “Vivid have been aware of recent reports on connected toys that we distributed on behalf of the manufacturer Genesis since 2014. Within these reports it raises the issues of the security of the user which we take very seriously.
“Whilst some of these reports highlight potential vulnerability in the products, there have been no reports of these products being used in a malicious way. While it may be technically possible for a third party (someone other than the intended user) to connect to the toys, it requires certain sequence of events to happen in order to pair a Bluetooth device to the toy, all of which make it difficult for the third party to remotely connect to the toy.
“As a result of the published reports Vivid has been actively involved in communicating the issues to the manufacturer. Technical recommendations to add Bluetooth authentication as a firmware update to the toy and app would need to be reviewed and, if feasible, implemented by Genesis. We will actively pursue this matter with them directly.
“In conclusion, the connected toys distributed by Vivid, fully comply with essential requirements of the Toy Safety Directive and harmonised European standards and [we] consider these products to be safe and for consumers to use when following the user instructions.”
“Available from Amazon, the toy comes as a stuffed animal and enables friends to send messages to a child, played back on a built-in speaker. Which? found someone could hack the toy via its unsecured Bluetooth connection and make it play their own voice messages.”
The toy manufacturer, Spiral Toys, declined to comment.
4. Toy-fi Teddy.
“Available from Amazon online. A teddy that allows a child to send and receive personal recorded messages over Bluetooth via a smartphone or tablet app. However, Which? found the Bluetooth lacks any authentication protection, meaning our hackers could send their voice messages to a child and receive answers back.”
The toy manufacturer, Spiral Toys, declined to comment.
What do the retailers have to say?
1. Argos: “The safety of the products we sell is extremely important to us. We haven’t received any complaints about these products, but we are in close contact with the manufacturers, who are already looking into these recommendations.”
2. Toys R Us and Smyths referred to the manufacturer comments.
3. Amazon: “We will decline to comment on the Furby Connect and Toy-Fi Teddy.”
4. Tesco: Which? stated: “Tesco do not sell the products on test and haven’t so far made a general comment.”
5. John Lewis: Which? stated: “John Lewis do not sell any products on test, but has agreed to engage with us about the topic.”
HuffPost UK has contacted Hamleys for comment and will update this article upon their response.