Hackers able to seize control of children’s Christmas toys

Hackers will be able to seize control of six top-selling Christmas toys – tapping into video streams, microphones and even collecting phone numbers and personal details.

Experts at Top10VPN UK said it was ‘shockingly simple’ to take control of any toy with an unsecured Wi-fi of Bluetooth connection, to access its data and tap into its camera or microphone.

They found that a children’s smart tracking watch had fundamental security flaws that would allow a hacker to pose as a parent and send fake messages or SMS alerts.

They were able to hijack a remote-control car and tap into the feed from its built-in video camera. And they found they could browse through recordings made by a drone and infect it with malware.

The toys tested were the Q50 Smart Tracking Watch, Mass Effect: Andromeda NOMAD ND1 RC Car, Sky Viper v2400 HD Streaming Drone, AirHogs FPV High Speed Race Car, Cognitoys Dino and the Star Wars BB-8 Droid. 

This device has fundamental security flaws that put children in danger. With no authentication and encryption, it’s simple for a hacker to impersonate a child’s parents or loved ones by sending fake messages or SMS alerts to the watch

Hackers can intercept the video stream from the built-in camera completely undetected, as all data sent from the toy to its companion app is unencrypted

Hackers can intercept the video stream from the built-in camera completely undetected, as all data sent from the toy to its companion app is unencrypted

While the hacker can't take control of the drone, they could infect the toy with malware, rendering it inoperable, or worse

While the hacker can’t take control of the drone, they could infect the toy with malware, rendering it inoperable, or worse

All Wi-fi and Bluetooth enabled toys are vulnerable to attack and there’s no way of preventing according to the researchers.

Hackers are able to tap into the devices, because the toys each have their own hotspots, without any form of security or privacy settings. 

Where phones, laptops and tablets have options to set passwords for the user to secure their device, the toys don’t – leaving them vulnerable to anyone who wants to log in.

JP Jones at Top10VPN told MailOnline: ‘Imagine you have a child in a block of flats, you can see neighbours’ Wi-fis but cannot connect as they are usually secured. 

‘Nosy neighbours can connect to these toys and will be able to access a lot of sensitive information.’

While the manufacturers aren’t breaking any rules by not having a privacy and security settings on the toys, the researchers believe they should more responsible.

Simon Migliano, head of research at Top10VPN.com, added: ‘It’s roughly tens of thousands of pounds to create the security features, but that is not much for these companies.

‘We have passed on our research to all the manufacturers and have only received acknowledgments from two. 

‘Regulations need to keep up with the pace of technology. But customers should also be taking responsibility and parents need to educate themselves on what they are buying for their children.’ 

The research underlines why children’s smartwatches were recently banned outright in Germany and certain models pulled from UK shelves.

Even without the companion app, the more determined hacker could record the streaming video as it is not encrypted

Even without the companion app, the more determined hacker could record the streaming video as it is not encrypted

It found that kids’ smartwatches with GPS tracking, currently flooding Amazon, are vulnerable to stalking by strangers who could potentially send messages impersonating trusted friends and relatives. 

The discoveries come in the wake of serious warnings about smart toys from the FBI and the Information Commissioner’s Office, the UK’s independent privacy watchdog. The Top10VPN.com findings also build on a recent consumer report revealing the vulnerability of Bluetooth-enabled toys. 

This study goes further to demonstrate an even more serious problem given the greater capabilities of Wi-Fi devices compared to more limited Bluetooth functionality. 

Independent security researcher Sarah Jamie Lewis, commissioned by the comparison website Top10VPN.com said the team compromised all six of the toys they tested. 

While this device does require a person to physically press a button to make any recordings, cyber criminals can easily steal them once created 

While this device does require a person to physically press a button to make any recordings, cyber criminals can easily steal them once created 

It's technically possible an attacker and would-be thief could use its sensors to map a room

It’s technically possible an attacker and would-be thief could use its sensors to map a room

They were able to intercept cameras and microphones, retrieve private pictures and video, access the location of a device and ‘spoof’ – deliberately alter – information such as child location to a parental monitoring app.

Sarah Jamie Lewis said: ‘It was shockingly simple to take full control of these toys and intercept video feeds from onboard cameras within minutes. 

‘This opens up a number of frightening scenarios where anyone, even a stranger driving around in a car, can discover these vulnerable Wi-Fi enabled toys, and can hack into these devices with the intent of violating a child’s privacy or worse.’

Mr Migliano added: ‘These shocking findings must serve as a wake-up call to the toys industry and regulators to prevent children from being put at risk.

‘Until there is a security standard that must be met by all connected toy manufacturers, we would urge parents to think very carefully about buying any smart products for their children.

‘It’s easy to get caught up in the fun of toys that have increasingly sophisticated functionality built in, but given what we’ve managed to do with the six toys we tested, as a parent myself, I certainly would not expose my children to this kind of danger.’ 

MailOnline has contacted the manufacturers for comment. 

TOYS VULNERABLE TO HACKERS 

The toys were tested and evaluated for security and privacy, and given an overall danger rating. The findings were as follows: 

1. Q50 Smart Tracking Watch £28.69

This device has fundamental security flaws that put children in danger. With no authentication and encryption, it’s simple for a hacker to impersonate a child’s parents or loved ones by sending fake messages or SMS alerts to the watch. Worryingly, this same issue allows for an attacker to spoof a child’s location to mislead their parents about where their child is. An attacker can also use the device to monitor and listen to the child and their surroundings, while its companion app is riddled with tracking scripts and advertising with huge privacy issues.

2. Mass Effect: Andromeda NOMAD ND1 RC Car £199.99

This toy is at high risk from hackers. It takes just 14 minutes for an attacker to take complete control of the car due to a lack of authentication and encryption. They can also intercept the video stream from the built-in camera completely undetected, as all data sent from the toy to its companion app is unencrypted. It’s also possible to completely break the toy or infect it with malware via a malicious firmware update.

3. Sky Viper v2400 HD Streaming Drone £99.99

This is a very risky toy. With a lack of encryption and authentication, a hacker can easily intercept live video streams from the toy, and snoop through previously stored video and images. While the hacker can’t take control of the drone, they could infect the toy with malware, rendering it inoperable, or worse.

4. AirHogs FPV High Speed Race Car £99.99

This toy requires no hacking experience to access its onboard camera. The toy’s open Wi-Fi network allows anyone with the companion app to watch a live video stream of the car and its operator’s surroundings. Even without the companion app, the more determined hacker could record the streaming video as it is not encrypted.

5. Cognitoys Dino £99.99

This toy’s Wi-Fi hotspot is exposed during set-up due to its lack of encryption, and leaves all forms of communication over the internet vulnerable to interception from hackers. Whilst the device does require a person to physically press a button to make any recordings, cyber criminals can easily steal them once created.

6. Star Wars BB-8* App-Enabled Droid* £119.99

While parents can be relieved there is little danger from a toy that’s in great demand thanks to the latest Star Wars film hitting cinemas next week, hackers can take easily control of the BB-8*, as it requires no authentication. While it’s technically possible an attacker could use its sensors to map a room, a more likely outcome would be to cause the toy to act as a strobe at a fast frequency.  

 



Read more at DailyMail.co.uk