We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.


When you click on a retailer link on our site, we may earn affiliate commission to help fund our not-for-profit mission.Find out more.

17 Dec 2021

Which? lab tests uncover security issues with toy drones

We've found five insecure toy drones on sale at major retailers that could put your child's security, privacy and even safety, at risk
Child flying a drone

Toy drones might seem like harmless and fun gadgets to keep your children entertained this Christmas, but our tests have found serious issues that could risk your child's privacy and security.

We tested the internet security of five drones for kids available from popular retailers including Amazon, Argos, Smyths Toys and more, and in collaboration with security specialists Modux, found a range of concerning problems.

Every drone and its smartphone app we tested could be hacked, meaning someone could snoop on the video feed, steal the drone or even cause a safety incident.

Read on to find out more details about the issues we found and what you can do to protect yourself and your little ones.

 Tech tips you can trust - get our free Tech newsletter for advice, news, deals and stuff the manuals don't tell you

Toy drone security concerns

Smartphone drone POV

We tested eight kids' drones and the security issues we identified affect the following five drones:

  • 4DRC RCV2
  • DEERC D20 Mini
  • Drones Direct Proflight D15 PFDB301
  • Ryze Tello powered by DJI
  • Smyths Stunt Streaming Drone

All of these drones have cameras that can record videos, take stills and provide a point-of-view feed direct to your smartphone, when paired with the drone using their companion apps.

Modux uncovered a variety of serious security flaws that you should know about before buying one of these toy drones for your child.

1. A stranger can connect to your drone

To take photos, videos and provide live video feeds, the drones put out a wi-fi signal that your smartphone connects to. On all drones, the wi-fi had no password protection, meaning anyone could connect to the drone while it was switched on and in range.

All drones apart from the 4DRC let more than one person connect to the drone at once, meaning you might not even know that a stranger was also able to control the drone while your child was using it.

And one drone in particular has a function enabling you to program it, but as this has no security protections, that means it's possible for someone to seize control of the drone and potentially cut the power in mid-air.

2. Password change far from simple

We could not find a way to set a wi-fi password on the 4DRC, DEERC and Proflight drones. You could change this on the Ryze Tello drone, but it was not prompted when you set it up.

You could also set a password on the Smyths drone, but this meant connecting to a Chinese language web application, which was far from simple, and again not prompted.

3. Possible to snoop on the video feed

Whether your child is flying the drone inside or outside of the house, with all drones it was possible to connect to the gadget and view the camera feed.

We found no encryption was used on the drones, and this combined with the insecure wi-fi networks meant someone could connect and snoop on what the camera was recording.

This could pose a privacy risk, particularly if it is a child using the drone inside their bedroom.

With the DEERC and Proflight drones we also found that an attacker could potentially hack the drone to access any video files that had been recorded by the user, further putting their privacy at risk.

What should I do if I own one of these drones?

child flying drone

If you own one of products, or any smart device for that matter, we'd encourage you to take the following steps:

  1. Change the default password to something that's unique and hard to guess.
  2. Run security updates as the app developer may be rolling out patches and fixes for any issues identified.
  3. Be careful where you use the device and make sure any recordings don't compromise your privacy.

What did the manufacturers and retailers say?

We contacted manufacturers and retailers with our findings and advised them on steps they should take to better secure the toy drones we tested.

We didn't get any response from 4DRC, DEERC or Drones Direct.

Argos informed us that it's in contact with DJI to investigate the issues raised.

DJI told us: 'Tello drones are not used for high-security applications, their transmission range is very short, and they are among the safest drones on the market because of their small size and limited power. However, Tello supports communication encryption, and users can set up passwords.'

Smyth's Toys said: 'We no longer have this product on sale and will not reorder it. The issues identified by Which? were issues that we had also identified as important when considering listing drones for sale in the future.'

Amazon stated: 'These products are permitted for sale and do not violate our policies. When appropriate, we remove a product from the store, reach out to sellers, manufacturers, and government agencies for additional information, or take other actions.'

Other issues with toy drones

Child flying a drone

Besides the internet security and privacy issues we uncovered at our labs, we also identified other problems that concerned us.

These lightweight drones are prone to veering off, and tilting controls proved ineffective at preventing them from flying away. In addition light breezes often sent the drone off in unintended directions, as their light weight provided little wind resistance.

The propeller guards are pretty flimsy and provide minimal protection to the drones and any objects they might collide with.

Control over the drones quickly deteriorated when the drones went beyond around 10m from the controller and several of the companion apps had patchy functionality; we had multiple instances of not being able to pair our smartphone with the drone.

How we tested toy drones

We shortlisted eight bestselling drones either aimed at children or sold as toy drones, bought them and tried them out to see which ones might be fun to fly, easy to control and well-made.

  • Using the controller- we considered the shape and size of each controller to see if children would have trouble handling them or pressing the buttons, how well-labelled the controller is and any loose joysticks or stuck buttons.
  • Flight tests - we judged how easily each drone could be flown by a beginner by considering the responsiveness of the drone and how it responded to doing simple moves such as taking off, landing, turning and hovering.
  • Durability - we crash-landed each drone we tested several times to see how well it stands up to hard impacts and how effective the propeller guards are.
  • Internet security-we sent the internet-enabled drones to Modux for robust internet security tests to see how well they would hold up against a cyber attacker.

Watch: how hackers target your smart devices

The video below shows how easily we were able to hack gadgets that connect to the internet, including laptops, printers, speakers, webcams and doorbells.

Find out what you can do to protect your privacy and security.

Taking action on insecure smart products

The UK government recently announced a crackdown on insecure smart products, such as these toy drones, stating they must meet basic security standards before they can go on sale.

Following years of campaigning by Which?, the Product Security and Telecommunications Infrastructure Bill will include three basic measures - and all of these drones would fail to meet them.

  • Default passwords: Under the new legislation all devices will have to ship with unique passwords that cannot be reset to any universal factory setting. As all of these toy drones lacked any password at all, they would not meet the required standard.
  • Vulnerability disclosure: All manufacturers must have a clear point of contact so that security researchers or campaign groups, such as Which?, can report any vulnerabilities found with their products. However, as you can see above we were only able to contact two out of five drone brands, and those two didn't have a clear policy that we could find.
  • Software updates: Under the law, manufacturers will have to inform you about the minimum amount of time that a product will receive vital security updates when you are considering buying it. None of these drones had any information on this. Plus, one of the drone apps that we tested hadn't been updated since December 2019.

Our recent story on clone smart products flooding online marketplaces has tips on how to shop safely when buying smart gadgets.