Amazon and Ebay have stopped selling the CloudPets smart toys following warnings that they could be hacked to send messages to a child.
The retailers move follows concerns raised about CloudPets products in the US by the Mozilla Foundation. Which? raised similar concerns in the UK in June last year.
Amazon and Ebay initially just dropped the toy for sale in the US, but Amazon has have since confirmed to us that it has stopped selling it in the UK, too.
Ebay said that it is in the process of removing UK listings for the CloudPets interactive toy.
What is a CloudPets?
CloudPets is a stuffed toy with a Bluetooth connection that enables family and friends to send messages to a child, that’s played back on a built-in speaker.
It comes in different varieties, including a dog, bunny, cat, bear and unicorn.
But, with some knowledge, the toy can be hacked and made to play the hackers own voice messages.
In a previous investigation, we hacked the kitten version and made it order itself some cat food from a nearby Amazon Echo (see more in the video below). We were able to connect to the toy’s unsecured Bluetooth connection from even outside in the street, meaning a stranger could potentially do the same.
You can see it in action in our video, below.
Amazon and Ebay US sales halted
Research conducted by Mozilla, the maker of the Firefox web browser, found the same vulnerabilities in CloudPets that Which? exposed last year. A problem that still hasn’t been fixed.
The research also unearthed that Spiral Toys, the maker of CloudPets, had allowed the domain of its tutorial website, mycloudpets.com/tour, to lapse. This could expose CloudPets customers to the risk of being sent a spoof ‘phishing’ emails aimed at stealing their personal information.
Spiral Toys was also previously involved in a data breach.
Mozilla wrote to Amazon and Ebay urging them to drop sales of the toy, and both sides do so in the US.
Ebay told us that its team is currently working to remove remaining listings for CloudPets on its UK website. It said that it doesn’t allow products that can be used to spy on people, regardless of whether they can be hacked or not.
An Ebay spokesperson: ‘This type of item is banned from Ebay’s UK platform and any listings will continue to be removed.’
Amazon confirmed that it has now stopped sales of the CloudPets interactive toy on its UK website. Only the non-connected version of CloudPets remains available to buy via Amazon.
Smart toys must be secure, or not on sale
In another investigation in late 2017, we found other connected toys that had similar vulnerabilities to the CloudPets, including Hasbro’s Furby and the i-Que.
In 1967, Which? successfully campaigned to promote the use of lead-free paint in toys. More than 50 years later and we’re concerned that unsecured connected toys pose a different, but equally pressing risk to our children.
We’re calling for all connected toys with proven security or privacy issues to be taken off sale immediately.
Alex Neill, Which? managing director of home products and services, said: ‘Our research over the past year has demonstrated concerning vulnerabilities in several smart toys, including CloudPets.
‘When you give a toy to a child you expect it to be safe and secure as a minimum. If that can’t be guaranteed, then the products should not be sold. Retailers should not be selling unsafe and unsecured connected toys.’
How to return a CloudPet toy if you’re concerned
If you’re worried about a smart children’s toy that you’ve heard in the press has the potential to be hacked, it’s understandable that you might wish to return your CloudPets smart toy rather than take a risk.
If you purchased it online recently, act quickly. If you recently bought a hackable toy online and have since become concerned by these security flaws, you may still be able to return it using your statutory right to cancel and return good.
The Consumer Contract Regulations give you the right to cancel an online order, starting the moment you place your order and ends 14 days from the day you receive it.
This 14-day period is the time you have to decide whether to cancel, you then have a further 14 days to actually send it back.
Amazon also has a generous no-quibble 30-day returns policy, if you’re outside time allowed by the Consumer Contracts Regulations.
There are different rules if you purchased it in store. You’ll need to check the retailers returns policy to see if you can return unwanted items bought in store and how long you have to do this.
Make a claim for a refund
If you’re unable to return the smart toy you’re concerned about as an unwanted item, you could still try to return it as a faulty product.
For more information on how to do this visit our guide on how to return a smart toy you’re concerned could be hacked.