Author Felicity Anderson

A consumer group has urged retailers to withdraw a handful of connected toys following an investigation into their online security.

Tests carried out by Which? found failings in four Bluetooth and WIFI-enabled toys, which will no doubt feature on many children’s Christmas lists this year.

Highlighting security flaws that could potentially enable strangers to hack into the toys and talk to children, the tests found, “there was no authentication required between the toys and the devices they could link with via Bluetooth,” reports the BBC.

The Furby Connect, i-Que robot, Cloudpets and Toy-fi Teddy, were all deemed open to misuse by the researchers, who included Which? a German consumer group and security experts.

Two of the toys manufacturers have said that they take the security concerns seriously, while the remaining two have so far declined to comment.

What are the dangers of connected toys?

Which? claim that a lack of security authentication means that, in theory, any device within physical range could potentially link to the toy and take control of it or send messages through it.

Alex Neill, managing director of home products and services at Which? told the BBC, “Connected toys are becoming increasingly popular, but as our investigation shows, anyone considering buying one should apply a level of caution,”

“Safety and security should be the absolute priority for any toy. If that can’t be guaranteed, then the products should not be sold.” He said.

No passwords or pin codes

What are the dangers of connected toys?

When testing the devices, researchers required little technical knowledge to hack into each of the toys because there was no need to enter passwords a pin code or any other type of authentication and from there it was.

In the case of the i-Que Intelligent Robot, available from Argos and Hamleys, “anyone could download the app, find an i-Que within their Bluetooth range and start using the robot’s voice by typing into a text field,” according to the Guardian.

The newspaper also notes that Genesis, the maker of the i-Que Intelligent Robot, also manufactures the My Friend Cayla doll, which was recently banned in Germany owing to security and hacking concerns. Both toys are distributed in the UK by Vivid.

What the manufacturers and retailers say

Hasbro, which makes the Furby Connect, is reported by the BBC as saying that it believed the results of the tests carried out for Which? had been achieved in very specific conditions.

“A tremendous amount of engineering would be required to reverse-engineer the product as well as to create new firmware,” it said.

“We feel confident in the way we have designed both the toy and the app to deliver a secure play experience.”

I-Que manufacturer, Vivid Imagination said there had been “no reports of these products being used in a malicious way” but stated that it would review Which?’s recommendations.

Spiral Toys, which makes Cloudpets and Toy Fi, did not comment while Argos, which sells the Furby Connect and i-Que robot, said in a statement:

“The safety of the products we sell is extremely important to us. We haven’t received any complaints about these products, but we are in close contact with the manufacturers, who are already looking into [these] recommendations.”

“A no-brainer”

Cyber-security expert Prof Alan Woodward, from Surrey University, told the BBC it was a “no-brainer” that toys with security issues should not be put on sale.

“Sadly, there have been many examples in the past two to three years of connected toys that have security flaws that put children at risk,” he said.

“Whether it is sloppiness on the part of the manufacturer or their rush to build a product down to a certain price, the consequences are the same. To produce these toys is bad enough, but to then stock them as a retailer knowing that they are potentially putting children at risk is quite unacceptable.”