We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.

Connected toys: Buyers beware this Christmas

Unsecure connected toys could be vulnerable to Christmas hackers

Christmas is upon us and parents are frantically buying presents for their youngsters.

Popular toys this festive season are smart, or ‘connected’ toys, such as Hasbro’s Furby. However, a Which? investigation has found that they can be more naughty than nice.

Watch our video below.

Smart toys – should I buy one? Our guide to all things connected toys

In November, we published a major investigation into four connected toys – the Toy-fi Teddy, CloudPets Bluetooth cuddly toy, i-Que Intelligent Robot and the Furby Connect.

In all cases, it was found that a stranger could use the toy to send messages to a child. Each time, the Bluetooth connection had not been secured, meaning that person didn’t need a password, Pin code or any other authentication to get access.

Someone with basic technical knowledge or, in the case of the i-Que no technical knowledge at all, could easily hack the toys. They would just need to be within Bluetooth range to connect. You can read more on our smart toys investigation and the companies’ responses.

Find out more about the Furby hack in this blog post by our security research colleagues over at Context IS.

How to buy a connected toy

If you’re buying a connected toy this Christmas, make sure you follow these five steps:

1. Carefully research the product: Read the description of the connected toy in the shop or online. Find out what the toy actually does and how your child will interact with it. Search for the name of the toy online. Has it been involved in a hacking story before?

2. What about the company? Also, search for the manufacturer – has it been involved in any cyber controversies, such as a leak of customer data?

3. Tech check: If the toy requires a wi-fi, Bluetooth or other network connection, think about whether you want to give it to your child. You’d possibly think twice before giving them an internet-connected smartphone without any controls, so a toy should be no different.

4. Personal data: If there’s a mobile app or you need to set up an account, what security features are in place, such as usernames and passwords? And what does the company say it will do with your child’s personal information?

5. Do you really need a connected toy? While you don’t want to deny children fun, consider whether it’s best to avoid having to think about internet threats until they get older.

The Information Commissioner’s Office has also warned parents and others about potential data protection and privacy issues with connected toys. It has issued its own buying guide.

‘You wouldn’t knowingly give a child a dangerous toy, so why risk buying them something that could be easily hacked into by strangers?’ the ICO’s Steve Wood said in a blog post.

What if I have already bought a connected toy?

If you’ve already purchased one of the above toys, or another connected toy, don’t panic. Follow the tips below to stay safe.

When setting up the toy for your child, only submit the minimal amount of personal data. That means not too much data is exposed if things do go wrong.

Enable any security features that are available (usually in the settings), and download any available security updates for the app or toy to make sure you’re protected by the most recent security developments.

Mostly importantly, keep an eye on your child when they’re playing with the toy, particularly if it can send or receive messages. When they’re not playing with it, make sure you turn it off.

How to return your connected toy – your consumer rights

  • If you bought the toy online, your right to cancel an order starts from the moment you enter the contract by paying for the item and ends 14 days after your order has been delivered to you. You then have a further 14 days to return the toy.
  • If you purchased the connected toy in store, check the retailer’s store returns policy to see if you can return unwanted items and how long you have to do this. Retailers tend to extend the period you have to return an unwanted item around Christmas time.
  • If you’re unable to return the smart toy you’re concerned about as an unwanted item, you could still try to return it as a faulty good under the Consumer Rights Act.

Read our advice guide for more guidance on how to return a smart toy which you’re concerned could be hacked.

Back to top
Back to top