Hackers can 'talk to your children' through connected toys

New research has found that many leading internet-enabled toys contain security flaws that allow hackers to talk directly to a child, prompting calls for retailers to pull affected products from the shelves before the Christmas rush.

Tests revealed that four out of seven of some of the most popular IoT toys could be hacked in a way that let strangers manipulate built-in voice modules to communicate with a child.

The report by Which?, supported by German consumer group Stiftung Warentest and a body of security experts, found that the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy and CloudPets toys were all susceptible to this hack.

The toys rely on Bluetooth connections to enable some of their features, including using a toy's voice to replay anything typed into a text box, but these were found to have been misconfigured and as a consequence could be easily hacked.

These unsecure connections meant that researchers didn't need a password or a PIN to access the device and that very little technical know-how was needed to take control of the voice module.

Bluetooth is typically limited to a distance of 10 metres, meaning that any immediate threat is likely to be from someone nearby. However, the report highlights that the range could be extended and picked up by hackers further away, such as in a vehicle on a nearby road.

The Furby Connect, perhaps the most well-known toy on the list, was found to contain the Bluetooth flaw that let anyone within range connect to the toy. Researchers were then able to upload a custom audio file to the toy, which could be anything given the lack of restrictions, including inappropriate material.

Furby manufacturer Hasbro told Which? that it takes the report "very seriously", although it claimed that the discovered exploits would require someone to re-configure the device's firmware, something that would take expert knowledge.

The Toy-fi Teddy, which is available from Amazon and a number of other online retailers, allows children to send and receive recorded messages created using a smartphone or tablet app. It was found that hackers could send their own voice messages to the toy, and receive the replies from the child.

It was also found that hackers could take control of the voice unit in CloudPets toys that allowed them not only to talk to children, but even issue commands to a nearby Amazon Echo speaker.

This isn't the first time CloudPets has been accused of failing to protect its users. Earlier this year it was discovered that almost 2.2 million voice recordings created by children and stored on CloudPets toys had been leaked online.

IT Pro has asked for comment from Spiral Toys, which makes the Toy-fi Teddy, and CloudPets, but the companies have yet to issue a comment on Which?'s report.

Argos, which sells the Furby Connect and I-Que Intelligent Robot, said in a statement to IT Pro: "We haven't received any complaints about these products but we are in close contact with the manufacturers, who are already looking into these recommendations."

The issue reflects a wider concern in the security industry that basic protections are being ignored in an effort to push out as many connected devices as possible.

Earlier this year, Symantec EMEA CTO Darren Thomson remarked that the security industry had so far "fundamentally failed" to educate people to the risks of IoT hacking and that the idea that end users would have the inclination to check their devices were secure was evidently flawed.

Which? has called for all connected toys with known privacy or security issues to be taken off sale before parents begin their Christmas shopping.

Alex Neill, managing director of home products at Which?, said: "You wouldn't let a young child play with a smartphone unsupervised and our investigation shows parents need to apply the same level of caution if considering giving a child a connect toy."

"While there is no denying the huge benefits these devices can bring to our daily lives, safety and security should be the absolute priority. If that can't be guaranteed, then the products should not be sold."

Picture: Stock image

Contributor

Dale Walker is a contributor specializing in cybersecurity, data protection, and IT regulations. He was the former managing editor at ITPro, as well as its sibling sites CloudPro and ChannelPro. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.