Smart toys play with security fire, consumer group finds

Which? reports that it's far too easy to break into these Bluetooth-connected toys.

Sarah McDermott Senior Sub-Editor
Sarah is CNET's senior copy editor in London. She's often found reading, playing piano or arguing about commas.
Expertise Copy editing, podcasts, baking, board games
Sarah McDermott
2 min read
Sarah Tew/CNET

Some of the coolest gifts on store shelves this year have security flaws that leave them vulnerable to hacking and could put children at risk, a consumer safety group warned Tuesday in a report.

The UK-based group Which? researched connected toys and found vulnerabilities in several, including Furby Connect, I-Que Intelligent Robot, CloudPets and Toy-fi Teddy. It found that these toys use unsecured Bluetooth connections and that it would be "too easy" for someone to use them to talk to a child.

"That person would need hardly any technical know-how to 'hack' your child's toy," the report said.


My Friend Cayla may have been too friendly.

Gensis Toys

Which? noted that Bluetooth range is usually limited to about 10 metres (33 feet), so the main concern would be people nearby with malicious intent. However, it wouldn't be impossible to extend Bluetooth range.   

As more toy makers add Wi-Fi and Bluetooth connections to pack in new skills and features, regulators have kept an eye on them for security vulnerabilities. Earlier this year, German regulators stopped sales of My Friend Cayla, a smart doll by Genesis Toys, and classified it as an "espionage device." CloudPets has been criticised for leaving account information and voice recordings exposed online.

Hasbro, which makes Furby Connect, said that it is taking the report seriously and that children's privacy a top priority for the company.

"While the researchers at Which? identified ways to manipulate the Furby Connect toy, we believe that doing so would require close proximity to the toy, and that there are a number of very specific conditions that would all need to be satisfied in order to achieve the result described by the researchers at Which?, including reengineering the Furby Connect toy, creating new firmware and then updating the firmware, which requires being within Bluetooth range while the Furby Connet toy is in a 'woke' state," said Julie Duffy, senior vice president of global communications. "A tremendous amount of engineering would be required to reverse engineer the product as well as to create new firmware."

CNET also contacted Spiral Toys, which makes CloudPets and Toy-fi Teddy, and Genesis Toys, which makes the I-Que Robot. They did not immediately respond to a request for comment.

Playtime is Over: Can smart toys ever be safe?

The Smartest Stuff: Innovators are thinking up new ways to make you -- and the world around you -- smarter.