A child safety warning has been issued over ‘smart’ toys that can be hacked via their Bluetooth connections.
The security loophole means that it is possible for strangers to connect to the toys and talk to children without their parents’ knowledge.
Consumer group Which? said an investigation found ‘worrying security failures’ with the I-Que Intelligent Robot, Furby Connect, Toy-fi Teddy, and CloudPets cuddly toy.
It has written to retailers asking them to stop selling the toys ahead of Christmas until the security problems have been resolved.
A child safety warning has been issued over ‘smart’ toys that can be hacked via their Bluetooth connections. Consumer group Which? said an investigation found ‘worrying security failures’ with the (left to right) CloudPets, Furby Connect, I-Que Intelligent Robot and Toy-fi Teddy
The toys effectively speak and play with children based on messages transmitted over the airwaves through tiny Bluetooth or Wi-Fi aerials. Which? found that the Bluetooth connection on the four toys had not been secured
Which? worked with the German consumer group Stiftung Warentet and other security experts to test popular Bluetooth or Wi-Fi toys on sale at major retailers.
The toys effectively speak and play with children based on messages transmitted over the airwaves through tiny Bluetooth or Wi-Fi aerials.
Which? found that the Bluetooth connection on the four toys had not been secured.
This meant that during tests a hacker did not need a password, PIN code or any other authentication to get access.
Very little technical know-how was needed to gain access to the toys to start sharing messages with a child.
The I-Que Intelligent Robot, has previously featured on Hamleys top toys Christmas list and is available from Argos and Hamleys in the UK.
The brightly coloured talking robot uses Bluetooth to pair with a phone or tablet through an app, but the connection is unsecured.
Experts discovered that anyone can download the app, find an i-Que within Bluetooth range and start chatting using the robot’s voice by typing into a text field.
The toy is made by Genesis Toys, the same manufacturer as the Cayla doll which was recently banned in Germany due to security and hacking concerns.
With the Furby Connect, anyone within a 30 to 100 foot (10 to 30 metre) Bluetooth range can connect to the toy when it’s switched on.
The connection could be made via a smartphone or laptop, opening up opportunities to control the toy.
Which? security experts were able to upload and play a custom audio file on to the Furby, which is available from Argos, Amazon, Smyths and Toys R Us.
CloudPets, available from Amazon, come as a stuffed animal and enable friends to send messages to a child, played back on a built-in speaker.
Which? found someone could hack the toy via its unsecured Bluetooth connection and make it play their own voice messages.
Toy-fi Teddy, available from Amazon, is a teddy that allows a child to send and receive personal recorded messages over Bluetooth via a smartphone or tablet app.
However, Which? found the Bluetooth lacks any authentication protections, meaning hackers could send their voice messages to a child and receive answers back.
The security loophole means that it is possible for strangers to connect to the toys, like the Furby Connect (pictured) and talk to children without their parents’ knowledge
During tests, a hacker did not need a password, PIN code or any other authentication to get access to the range of toys, including the CloudPets range (pictured)
The Which? managing director of home products and services, Alex Neill, said: ‘Connected toys are becoming increasingly popular, but as our investigation shows, anyone considering buying one should apply a level of caution.
‘Safety and security should be the absolute priority with any toy. If that can’t be guaranteed, then the products should not be sold.’
Vivid Imaginations, which distributed the i-Que robot for manufacturers Genesis, said while the toys may be vulnerable, ‘there have been no reports of these products being used in a malicious way’.
It said: ‘While it may be technically possible for a third party (someone other than the intended user) to connect to the toys, it requires certain sequence of events to happen in order to pair a Bluetooth device to the toy, all of which make it difficult for the third party to remotely connect to the toy.’
Vivid said it would be speaking to Genesis about improving security on the robot.
The I-Que Intelligent Robot (left) has previously featured on Hamleys top toys Christmas list. Toy-fi Teddy (right) lets a child to send and receive personal recorded messages over Bluetooth via a smartphone or tablet app
Toy company Hasbro, which makes the Furby Connect, said children’s privacy is a top priority for the company. The company insisted it would be difficult to hack the toy.
It said: ‘While the researchers at Which? identified ways to manipulate the Furby Connect toy, we believe that doing so would require close proximity to the toy.
‘There are a number of very specific conditions that would all need to be satisfied in order to achieve the result described by the researchers at Which?, including reengineering the toy, creating new firmware, and then updating the firmware, which requires being within Bluetooth range while it is in a ‘woke’ state.
‘A tremendous amount of engineering would be required to reverse engineer the product as well as to create new firmware.
‘We feel confident in the way we have designed both the toy and the app to deliver a secure play experience.’
The makers of the Cloud Pets and Toy-fi Teddy declined to comment.
The British Toy & Hobby Association (BTHA) played down the significance of the Which? research.
It said: ‘The circumstances in which these investigations have taken place rely on a perfect set of circumstances and manipulation of the toys and the software, that make the outcome highly unlikely in reality.’