Toy drones might seem like harmless and fun gadgets to keep your children entertained this Christmas, but our tests have found serious issues that could risk your child's privacy and security.
We tested the internet security of five drones for kids available from popular retailers including Amazon, Argos, Smyths Toys and more, and in collaboration with security specialists Modux, found a range of concerning problems.
Every drone and its smartphone app we tested could be hacked, meaning someone could snoop on the video feed, steal the drone or even cause a safety incident.
Read on to find out more details about the issues we found and what you can do to protect yourself and your little ones.
We tested eight kids' drones and the security issues we identified affect the following five drones:
All of these drones have cameras that can record videos, take stills and provide a point-of-view feed direct to your smartphone, when paired with the drone using their companion apps.
Modux uncovered a variety of serious security flaws that you should know about before buying one of these toy drones for your child.
To take photos, videos and provide live video feeds, the drones put out a wi-fi signal that your smartphone connects to. On all drones, the wi-fi had no password protection, meaning anyone could connect to the drone while it was switched on and in range.
All drones apart from the 4DRC let more than one person connect to the drone at once, meaning you might not even know that a stranger was also able to control the drone while your child was using it.
And one drone in particular has a function enabling you to program it, but as this has no security protections, that means it's possible for someone to seize control of the drone and potentially cut the power in mid-air.
We could not find a way to set a wi-fi password on the 4DRC, DEERC and Proflight drones. You could change this on the Ryze Tello drone, but it was not prompted when you set it up.
You could also set a password on the Smyths drone, but this meant connecting to a Chinese language web application, which was far from simple, and again not prompted.
Whether your child is flying the drone inside or outside of the house, with all drones it was possible to connect to the gadget and view the camera feed.
We found no encryption was used on the drones, and this combined with the insecure wi-fi networks meant someone could connect and snoop on what the camera was recording.
This could pose a privacy risk, particularly if it is a child using the drone inside their bedroom.
With the DEERC and Proflight drones we also found that an attacker could potentially hack the drone to access any video files that had been recorded by the user, further putting their privacy at risk.
If you own one of products, or any smart device for that matter, we'd encourage you to take the following steps:
We contacted manufacturers and retailers with our findings and advised them on steps they should take to better secure the toy drones we tested.
We didn't get any response from 4DRC, DEERC or Drones Direct.
Argos informed us that it's in contact with DJI to investigate the issues raised.
DJI told us: 'Tello drones are not used for high-security applications, their transmission range is very short, and they are among the safest drones on the market because of their small size and limited power. However, Tello supports communication encryption, and users can set up passwords.'
Smyth's Toys said: 'We no longer have this product on sale and will not reorder it. The issues identified by Which? were issues that we had also identified as important when considering listing drones for sale in the future.'
Amazon stated: 'These products are permitted for sale and do not violate our policies. When appropriate, we remove a product from the store, reach out to sellers, manufacturers, and government agencies for additional information, or take other actions.'
Besides the internet security and privacy issues we uncovered at our labs, we also identified other problems that concerned us.
These lightweight drones are prone to veering off, and tilting controls proved ineffective at preventing them from flying away. In addition light breezes often sent the drone off in unintended directions, as their light weight provided little wind resistance.
The propeller guards are pretty flimsy and provide minimal protection to the drones and any objects they might collide with.
Control over the drones quickly deteriorated when the drones went beyond around 10m from the controller and several of the companion apps had patchy functionality; we had multiple instances of not being able to pair our smartphone with the drone.
We shortlisted eight bestselling drones either aimed at children or sold as toy drones, bought them and tried them out to see which ones might be fun to fly, easy to control and well-made.
The video below shows how easily we were able to hack gadgets that connect to the internet, including laptops, printers, speakers, webcams and doorbells.
Find out what you can do to protect your privacy and security.
Following years of campaigning by Which?, the Product Security and Telecommunications Infrastructure Bill will include three basic measures - and all of these drones would fail to meet them.