Posted on December 10, 2019 by staff

Connected toys identified with serious security flaws


A range of connected toys available on the high street and online have been found to include serious security flaws which could put children at risk of exposure to strangers and inappropriate content.

That is the conclusion of research from consumer group Which? after testing of a series of popular ‘smart’ toys fitted with internet and Bluetooth connectivity.

Seven smart toys from major retailers were tested by security specialist lab NCC Group.

Among them was a Karaoke machine fitted with Bluetooth. Which? reports that the device was found to have no authentication or pin code, allowing “anyone to connect to the toys and send recorded messages to your child.”

It said that a Karaoke microphone purchased from Amazon and the Singing Machine SMK250PP both allowed connection from unauthorised devices.

The vulnerability could also lead to a ‘second order attack’, in which the compromised devices could be used to activate smart speakers in the home of the device.

Which? has called on the government to introduce mandatory security standards following the investigation.

Singing Machine told Which? that safety was its top priority and it followed industry best practices and all applicable safety and testing standards.

Other toys identified as having the potential to be compromised included those which allowed content to be uploaded and shared.

Which? said that the Mattel FFB15 Bloxels Build Your Own Video Game had “seemingly no moderation for any inappropriate content”, and the consumer group was able to upload games with swearing to the toy’s store, making it available to others.

The board game has now been discontinued.

The latest report follows a similar investigation carried out by Which? in 2017, which identified a series of toys with security flaws allowing strangers to connect and talk to children directly.

“It’s extremely worrying that two years on we found the same issues – such as Bluetooth connections which lack security measures – and new issues too,” said Which?

“We’re calling on the toys industry to ensure that unsecure products like the ones we’ve identified are either modified, or ideally made secure before being sold in the UK.

“We shared our findings with industry body, the British Toy and Hobby Association, and the Department for Culture, Media and Sport about our research.”