Parents should switch off the cameras and location trackers in their children’s ‘smart’ Christmas presents in case the toys are hacked, a regulator warned.
The Information Commissioner’s Office cautioned that the growing number of toys with Bluetooth connections, cameras and sensors leaves children at risk of being targeted by complete strangers.
Deputy Commissioner Steve Wood advised concerned adults to turn off the Bluetooth setting and set strong passwords on electronic toys destined for children’s stockings.
Parents should switch off the cameras and location trackers in their children’s ‘smart’ Christmas presents in case the toys are hacked, a regulator warned (stock image)
Writing on a blog post on the regulator’s website, he said: ‘Unlike Santa, those looking to hack into your devices don’t care whether you’ve been naughty or nice.
‘Some toys and devices are fitted with web cameras. The ability to view footage remotely is both their biggest selling point and, if not set up correctly, potentially their biggest weakness.
‘If you have no intention of viewing footage over the internet, then turn the remote viewing option off in the device’s settings, or else use strong, non-default passwords.’
He warned that devices such as smart watches, that parents may use to keep tabs on their children’s wherabouts, could unwittingly put youngsters in danger.
As a result, he encouraged switching off GPS settings.
‘One of the main selling points of children’s smart watches is the ability for parents to know where their children are at all times,’ he said.
‘However, if this isn’t done securely, then others might have access to this data as well.
‘Immediately get rid of default location tracking and GPS settings and set strong, unique passwords.’
A child safety warning has been issued over ‘smart’ toys that can be hacked via their Bluetooth connections. Consumer group Which? said an investigation found ‘worrying security failures’ with the (left to right) CloudPets, Furby Connect, I-Que Intelligent Robot and Toy-fi Teddy
The toys effectively speak and play with children based on messages transmitted over the airwaves through tiny Bluetooth or Wi-Fi aerials. Which? found that the Bluetooth connection on the four toys had not been secured
Other simple steps to protect children include changing all usernames and passwords immediately to maximise security.
Parents were also told to set up two-step identification, where the user has to connect different devices to confirm their identity.
It comes after consumer group Which? issued a warning that ‘smart’ toys can be hacked via their Bluetooth connections.
‘By taking some time and care beforehand and following our advice, you can still see a child’s face light up when they open their new, web-connected Christmas present, safe in the knowledge that you are keeping them secure as well as happy,’ he said.
The security loophole means that it is possible for strangers to connect to the toys and talk to children without their parents’ knowledge.
The group said an investigation found ‘worrying security failures’ with the I-Que Intelligent Robot, Furby Connect, Toy-fi Teddy, and CloudPets cuddly toy.
Earlier this month, Which? wrote to retailers asking them to stop selling the toys ahead of Christmas until the security problems have been resolved.
The toys effectively speak and play with children based on messages transmitted over the airwaves through tiny Bluetooth or Wi-Fi aerials.
This meant that during tests a hacker did not need a password, PIN code or any other authentication to get access.
Very little technical know-how was needed to gain access to the toys to start sharing messages with a child.
The I-Que Intelligent Robot, has previously featured on Hamleys top toys Christmas list and is available from Argos and Hamleys in the UK.
Experts discovered that anyone can download the app, find an i-Que within Bluetooth range and start chatting using the robot’s voice by typing into a text field.
With the Furby Connect, anyone within a 30 to 100 foot (10 to 30 metre) Bluetooth range can connect to the toy when it’s switched on.
The connection could be made via a smartphone or laptop, opening up opportunities to control the toy.
Which? security experts were able to upload and play a custom audio file on to the Furby, which is available from Argos, Amazon, Smyths and Toys R Us.
CloudPets, available from Amazon and other retailers, come as a stuffed animal and enable friends to send messages to a child, played back on a built-in speaker.
Which? found someone could hack the toy via its unsecured Bluetooth connection and make it play their own voice messages.
Toy-fi Teddy, available from Amazon and other retailers, is a teddy that allows a child to send and receive personal recorded messages over Bluetooth via a smartphone or tablet app.
However, Which? found the Bluetooth lacks any authentication protections, meaning hackers could send their voice messages to a child and receive answers back.