Two leading European consumer groups -- the UK's Which? and Germany's Stiftung Warentest -- have published an advisory with the results of their lab tests on the security of kids' connected toys, warning that these toys are insecure and could allow strangers to listen in and talk to your kids over the internet.
Among the toys specifically condemned in the report are the notorious Cloudpets, whose entire database of accounts and recorded messages sent between kids and parents was found to have been stored on an unencrypted, non-password-protected Amazon cloud server.
Last month, a Norwegian government agency published a report on kids' smart watches, revealing that they could be used as remote listening and tracking devices by randos over the internet, thanks to their incompetent security implementations.
Also listed in today's report on insecure toys are the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy.
The manufacturers and their industry association told the Guardian that they believe their products are secure.
When switched on, the Furby Connect – on sale at Argos, Amazon, Smyths and Toys R Us – could be connected with any device within a Bluetooth range of 10 to 30 metres.
With the i-Que Intelligent Robot, available from Argos and Hamleys, the investigation discovered that anyone could download the app, find an i-Que within their Bluetooth range and start using the robot’s voice by typing into a text field. The toy is made by Genesis, which also manufactures the My Friend Cayla doll, recently banned in Germany owing to security and hacking concerns. Both toys are distributed in the UK by Vivid.
CloudPets toys, on sale at Amazon, are stuffed animals that enable friends to send a child messages that are played on a built-in speaker. But Which? found the toy could be hacked via its unsecured Bluetooth connection.
Also available from Amazon, the Toy-Fi Teddy allows a child to send and receive recorded messages over Bluetooth via a smartphone or tablet app. Which? found the Bluetooth connection lacked any authentication protections, meaning hackers could send voice messages to a child and receive answers.
Strangers can talk to your child through 'connected' toys, investigation finds [Rebecca Smithers/The Guardian]