In anticipation of the current buying season of 2017, the British group of consumer rights Which? warned parents about the risks of giving toys connected to their children, and called for a ban on the sale of devices with known safety and / or privacy risks for reasons of child safety .
Working with security researchers, the group spent the last 12 months investigating several popular Bluetooth or Wi-Fi toys for sale at major retailers, and found "vulnerabilities" in several devices that could "allow to anyone who talks to a child through his toy ".
He published specific results on four of the toys that he watched: Namely the Furby Connect; Intelligent robot I-Que; Teddy toy-fi; and CloudPets Plush.
This latest toy attracted the attention of security experts in February when it discovered that its maker had stored thousands of unencrypted voice recordings of children and parents using the toy in a publicly accessible database – without the authentication required to access the data. (The data was later deleted and redeemed.)
Which one? In any case, it was found that it was far too easy for someone to associate his own device with toys and use the technology to talk to a child. He emphasizes in particular that Bluetooth connections have not been properly secured – noting for example that it was not necessary for a user to enter a password, PIN code or any other other authentication to access it.
"This person would not need any technical know-how to" hack "your child's toy," he writes. "Bluetooth has a range limit, typically 10 meters, so the immediate concern would be somebody with malicious intent nearby." However, there are methods to extend the Bluetooth range, and it's possible that somebody will not be able to use it. one could set up a mobile system in a vehicle to drag the streets in search of unsafe toys. "
In the case of the Furby, Which? Also thought that it would be possible for someone to reconfigure his firmware to turn the toy into a listening device because of a vulnerability that they found in the design of the toy (which he does not disclose publicly).
Although they were not themselves able to do so during the time that they had for the investigation.
Which one? describes his findings as "the tip of a very disturbing iceberg" – also signaling other concerns raised by several European regulatory bodies regarding children's IoT devices.
Last month, for example, the Norwegian Consumer Council warned of similar safety and privacy concerns regarding smartwatches for children.
This summer, the FBI also issued a consumer advisory warning that IoT toys "could endanger the privacy and safety of children because of the vast amount of personal information that could be disclosed without their knowledge" .
"You do not let a young child play with an unattended smartphone and our survey shows that parents should apply the same level of caution if you plan to give a toy connected to a child," said Alex Neill, who ? MD's products and services for the home in a release.
"While we can not deny the enormous benefits these devices can bring to our daily lives, safety and security should be the top priority, and if that can not be guaranteed, then the products should not be sold. "