UK consumer group calls for vulnerable smart toys to be taken off shelves

UK consumer watchdog Which? has issued a timely security warning over smart toy security ahead of this week’s Black Friday sales and the Christmas shopping period. 

The consumer protection group has called for retailers to take smart toys off retail shelves if they’ve got “proven security or privacy issues”. 

“We’re calling for smart toys to be made secure, or taken off sale entirely,” Which? said on Tuesday. 

Which? singles out four smart toys that it and other researchers have found “concerning vulnerabilities” that could expose children to spying, tracking or a stranger communicating with them. It notes the bugs can be exploited by anyone, not just professional hackers.

The group approached all major toy retailers to raise their concerns over the products and also filed reports with UK Government child protection agencies and the UK’s National Cyber Security Centre. 

Which? asked UK security firm ContextIS to probe a Furby Connect, a Bluetooth-connected smart toy made by US toy giant Hasbro. ContextIS used elements of a project by Florian Euchner that explores a Furby Connect’s microcontrollers for controlling its movements and displaying animations on its LCD eyes. 

ContextIS used the work to explore potential security vulnerabilities. It says the toy didn’t implement available Bluetooth security technologies such as requiring authentication for pairing or encrypting links between it and phones it connects with. This would allow anyone with a phone with the Furby Connect Wold app installed to connect to the toy and communicate with it. 

The firm was able to display custom graphics and animations on the toy’s eyes using the Bluetooth weaknesses. It also found the toy doesn’t require firmware updates to be digitally signed by the manufacturer, which could allow an attacker to install a malicious firmware update. 

Hasbro told Which? that Furby Connect and the Furby app didn’t collect personally identifiable information such as a user name, address or email address. It also doesn’t allow users to create profiles and doesn’t record users voices or use a phone’s microphone. 

This suggests at least Furby Connect users don't face the same risks as users of CloudPets, whose user names and recorded messages were stored on an unsecured database.  

Which?’s alert warns consumers about toys that other researchers and consumer protection groups have found security flaws in, including the I-Que Intelligent Robot, Cayla talking doll, CloudPets, and Toy-fi Teddy. 

Germany’s telecommunications authority earlier this year called on parents to render Cayla harmless after finding it was a concealed surveillance device under local laws. 

Which?’s petition echoes last year’s call by the Norwegian Consumer Council for updated consumer product safety regulations to ensure data security and privacy is considered equally as important as physical safety. 

The FBI recently published an advisory containing a lengthly list of what parents should do “at a minimum” prior to using internet-connected toys. Satisfying the checklist could make non-technical parents think twice about the effort involved in buying a connected toy and ensuring a child could use it safely.