Which? outlines security concerns around connected toys

Posted on 15th November 2017 By Billy Langsworthy

Which? has outlined vulnerabilities in connected toys that it believes could pose a child safety risk and the firm is now calling for retailers to stop selling toys with ‘proven security issues’.

In collaboration with German consumer group Stiftung Warentet and other security research experts, Which? conducted a snapshot test into popular Bluetooth or Wi-Fi toys on sale at major retailers.

The investigation found that someone could use a toy to communicate with a child in four out of the seven devices tested.

In each of the toys tested, the Bluetooth connection had not been secured, meaning during the tests, Which?’s hacker didn’t need a password, PIN code or any other authentication to get access. In addition, very little technical know-how was needed to gain access to the toys to start sharing messages with a child.

Which? tested:
– Furby Connect: Anyone within a 10 to 30 metre Bluetooth range can connect to the Furby Connect when it’s switched on, with no physical interaction required. This is because it does not use any security features when pairing. Plus, you can make the connection via a laptop, opening up more opportunities to control the toy. Our security experts were able to upload and play a custom audio file on the Furby.

– The I-Que Intelligent Robot: Which?’s investigation discovered that anyone can download the app, find an i-Que within Bluetooth range and start chatting using the robot’s voice by typing into a text field. The toy is made by Genesis Toys, the same manufacturer as the Cayla doll which was recently banned in Germany due to security and hacking concerns.

– CloudPets: Which? found someone could hack the toy via its unsecured Bluetooth connection and make it play their own voice messages.

– Toy-fi Teddy: Which? found the Bluetooth lacks any authentication protections, meaning our hackers could send their voice messages to a child and receive answers back.

“Connected toys are becoming increasingly popular, but as our investigation shows, anyone considering buying one should apply a level of caution,” said Alex Neill, Which? MD of Home Products and Services. “Safety and security should be the absolute priority with any toy. If that can’t be guaranteed, then the products should not be sold.”

On Which?’s finding, Hasbro stated:
“At Hasbro, children’s privacy is a top priority, and that is why we carefully designed the Furby Connect toy and the Furby Connect World app to comply with children’s privacy laws. In support of this, we also engaged a third party to perform security testing on the Furby Connect toy and Furby Connect World app. We carefully reviewed the report, and take this very seriously. While the researchers at Which? identified ways to manipulate the Furby Connect toy, we believe that doing so would require close proximity to the toy, and that there are a number of very specific conditions that would all need to be satisfied in order to achieve the result described by the researchers at Which?, including reengineering the Furby Connect toy, creating new firmware, and then updating the firmware, which requires being within Bluetooth range while the Furby Connect toy is in a “woke” state. A tremendous amount of engineering would be required to reverse engineer the product as well as to create new firmware.

“We feel confident in the way we have designed both the toy and the app to deliver a secure play experience. The Furby Connect toy and Furby Connect World app were not designed to collect users’ name, address, online contact information (e.g., user name, email address, etc.) or to permit users to create profiles to allow Hasbro to personally identify them, and the experience does not record your voice or otherwise use your device’s microphone.”

Vivid Imaginations, distributer of i-Que, added:
“Vivid have been aware of recent reports on connected toys that we distributed on behalf of the manufacturer Genesis since 2014. Within these reports it raises the issues of the security of the user which we take very seriously. Whilst some of these reports highlight potential vulnerability in the products, there have been no reports of these products being used in a malicious way. While it may be technically possible for a third party (someone other than the intended user) to connect to the toys, it requires certain sequence of events to happen in order to pair a Bluetooth device to the toy, all of which make it difficult for the third party to remotely connect to the toy.

“As a result of the published reports Vivid has been actively involved in communicating the issues to the manufacturer. Your technical recommendations to add Bluetooth authentication as a firmware update to the toy and app would need to be reviewed and, if feasible, implemented by Genesis. We will actively pursue this matter with them directly. In Conclusion, the connected toys distributed by Vivid, fully comply with essential requirements of the Toy Safety Directive and harmonised European standards and consider these product to be safe and for consumers to use when following the user instructions.”