Connected Toys Let Creepers Talk to Your Kids

As Black Friday looms, UK consumer rights group Which? is calling for a ban on connected toys, citing “concerning vulnerabilities” in several devices.  


The firm went on to say that it’s child’s play, as it were, to hack the Bluetooth or Wi-Fi connection used by the toy, for a man-in-the-middle takeover that could allow hackers to spy and eavesdrop on the family, or even talk to kids, for that uber-creeptastic feel. They could also simply steal data and information.

Design flaws that don’t require strong authentication (or any authentication at all, really) “enable anyone to effectively talk to a child through their toy,” the group said in a warning note. “That person would need hardly any technical know-how to ‘hack’ your child’s toy. Bluetooth has a range limit, usually 10 meters, so the immediate concern would be someone with malicious intentions nearby. However, there are methods for extending Bluetooth range, and it’s possible someone could set up a mobile system in a vehicle to trawl the streets hunting for unsecured toys.”

Some of the specific toys that the group said should be 86’d from stockings this year include Furby Connect; I-Que Intelligent Robot; Toy-fi Teddy; and CloudPets cuddly toy.

CloudPets was found earlier in the year storing the voice recordings of people interacting with the toy—including, of course, loads of children—in an unencrypted fashion in a publicly accessible online database.

Nonetheless, our ongoing obsession with electronics show no sign of cooling off. Connected toys are at the top of the holiday wish list this season, along with other internet of things (IoT) devices, like Google Home, Apple Watch and Fitbits.

And, the security of these inherently non-secure devices is taking a back seat to the growing enthusiasm to own them, according to a survey of more than 1,000 US adults conducted by Keeper Security.

The survey found that 65% of Millennials, the most active buyers of IoT devices, are not aware of the rising tide of concern around IoT device security. And the same percent—65%—said they don’t take evaluation of security of IoT devices seriously.

The survey found that nearly 53% of the IoT devices that respondents intend to purchase, are toys. This is far ahead of the 23.6% for wearable devices and 22.4% each for both home security and smart home devices like thermostats or vacuums.

So it’s unlikely that a ban on IoT devices would go down well with the peeps.

Which? however is taking a hard line: “You wouldn’t let a young child play with a smartphone unsupervised, and our investigation shows parents need to apply the same level of caution if considering giving a child a connected toy,” said Alex Neill, Which? MD of home products and services. “While there is no denying the huge benefits these devices can bring to our daily lives, safety and security should be the absolute priority. If that can’t be guaranteed, then the products should not be sold.”

What’s Hot on Infosecurity Magazine?