Christmas is coming, the goose is getting fat, look out for must-have toys that are 'easily hacked' ♪

Which? found this year's hot playthings lack basic security

By Richard Priday

Posted in Internet of Things, 14th November 2017 11:57 GMT

Consumer advice outfit Which? has today published a report detailing how easy it is to hack some of the most popular "connected toys" on the market and has called on retailers to stop selling those with "proven security issues".

The report found that of seven toys tested, the Furby Connect, I-Que Intelligent Robot, Cloudpet and Toy-Fi Teddy used unsecured Bluetooth connections.

The group's resident hackers found they could send text and audio messages through the toys, either through their companion apps or by connecting via laptop, without a password or other form of authentication.

The tests were carried out in association with Which?'s German counterpart, Stiftung Warentest, and security researchers. Context Information Security is the only one named.

Alex Neill, managing director of home products and services for Which?, said: "Connected toys are becoming increasingly popular, but as our investigation shows, anyone considering buying one should apply a level of caution.

"Safety and security should be the absolute priority with any toy. If that can't be guaranteed, then the products should not be sold."

Hasbro, manufacturer of the Furby, took issue with Which?'s test. It said: "We believe that [hacking into the toy] would require close proximity to the toy, and that there are a number of very specific conditions that would all need to be satisfied in order to achieve the result described."

These steps included redesigning the toy's firmware and then uploading it within Bluetooth range.

Vivid Imaginations, the distributors of Genesis Toys' I-Que robot, responded similarly. It said: "While it may be technically possible for someone other than the intended user to connect to the toys, it requires certain sequence of events to happen in order to pair a Bluetooth device to the toy, all of which make it difficult for the third party to remotely connect to the toy."

The Register has contacted Spiral Toys, manufacturers of CloudPets and Toy-Fi Teddy, for comment. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

What do you press when flaws in Bluetooth panic buttons are exposed?

Researcher able to DoS and track personal protection kit

Google reveals rapid Bluetooth gadget connection tech

'Fast Pair' works on Androids and some audio devices, Google wants it in your car too

Bluetooth makes a mesh of itself with new spec

Up to 32,000 nodes without routers in the middle and battery life measured in years

Amazon, Google inject Bluetooth vuln vaccines into Echo, Home AI pals

Updated The BlueBorne ultimatum

Bluetooth 'Panty Buster' 'smart' sex toy fails penetration test

Yep, it's yet another dildon’t

Bluetooth bugs bedevil billions of devices

Baffling spec sinks security for short-range comms protocol

Stop your moaning, says maker of buggy Bluetooth sex toy

Companion app recorded audio you while you - ahem - played, but it never left your phone

Dildon'ts of Bluetooth: Pen test boffins sniff out Berlin's smart butt plugs

You've heard of wardriving – say hello to screwdriving

Bluetooth 5 debuts next week

Bluetooth 5.0 emerges, ready to chew on the internet of things

Gentlemen, we can rebuild it. Better … stronger … faster. And meshier, before long