Smart toys - should you buy them?
By Andrew Laughlin
If you're considering buying a smart or connected toy, before you head to the shops make sure you download our buying guide below:
What are smart toys?
Smart toys, also known as connected toys, come in all shapes and sizes, but all have some degree of connectivity allowing you and your child to interact with the toy via a smart device.
However, the drive to ‘get connected’ shouldn’t come at the cost of privacy, security and safety. Especially given that some of these toys are aimed at children as young as three years old.
Read on for more details on what the risk is and find out how to protect your family. Here's the list of toys investigated:
1. Furby Connect
2. i-Que Intelligent Robot
3. Cloud Pets
4. Toy-Fi Teddy
5. WowWee Chip
What's the risk?A stuffed toy that enables family and friends to send messages to a child may not seem like much of a risk, but with nearly all the connected toys looked at in this investigation posing a real risk to your children it's worth being more aware of your child's privacy and data. This isn't an isolated case, a quick Google on many connected toys will bring up a frightening array of news stories about potential hacks or data breaches.
In the video, see how easy it is to use a connected toy to send a message to a child. This is all because the connection isn't secure. Our concern is that this could easily get into the hands of the wrong people, who could use the same method to ‘speak’ to children from outside the home.
And the toys we've covered in more detail below aren't just isolated incidents.
In February, the communications watchdog in Germany advised parents with the Cayla talking doll to destroy it over fears that it could leak personal data. This followed security researchers discovering that it has an unsecured Bluetooth device embedded in it.
It's not just the potential to hack a toy which is the problem, In 2015 leading toy maker VTech suffered a massive data breach which resulted in the details of five million parents and children being leaked, along with photos and chat logs. The poor response from the company lead security experts to urge people to 'boycott' VTech.
Hackers and your home: how to protect your family
With these smart toys being marketed to children as young as three years old, it's worrying that nearly all of them had some sort of vulnerability. Parents buy toys to entertain their children and may not realise they are inadvertently exposing them to risk. The European Commission and other bodies are currently investigating whether such toys are in violation of EU laws on data protection.
However, we're not just concerned about insecure connected toys. Previous investigations have exposed flaws in a whole range of gadgets, from coffee machines to cameras, and routers to robot vacuum cleaners. At Which? we'll be testing more products for how they safeguard your privacy and security. In the mean time, find out five ways to protect your smart home from hackers.
To help keep your family safe, we've compiled a smart toy checklist of the things you need to be aware of before buying a connected toy and once you've brought one home. Download it via the link below.
How different smart toys measured up
Over 2016 and 2017, Which? and various partner organisations, including German consumer group and security researchers, Context IS and SureCloud, have conducted various investigations into connected toys. There have also been a selection of investigations conducted by other organisations and researchers. As you can see below, some connected or 'smart' toys are being made and sold without security or protections for your child's privacy. With some of the toys featured here, anybody could either send their own audio (voices, or otherwise) to be played back to anyone within earshot of the toy. Or, they could remotely capture audio through the toy and listen to it through a phone or laptop.
Significant vulnerabilities leave these children’s toy open to being hacked or something more sinister. Someone with malicious intentions could use these toys to speak to your children directly from outside your house. To give them instructions, perhaps?
We asked information security Context IS to assess the security of the popular Furby Connect talking toy – and the news wasn't good. Anyone within Bluetooth range can connect to the toy when it's switched on. Plus, you can make the connection via a laptop, opening up more opportunities to control the toy.
Utilising an existing hack posted by a user nicknamed ‘Jeija’, Context was able to get the Furby to play Context audio files and manipulate the graphics in the Furby's eyes. While we could not turn the Furby into a listening device in the time we had, Context believes this is possible if someone was able to re-engineer its firmware.
Furby-maker Hasbro told us that it takes our report “very seriously”, but feels that the vulnerabilities we've exposed would require someone to be in close proximity to the toy and posses the technical knowledge to re-engineer the firmware.
“We feel confident in the way we have designed both the toy and the app to deliver a secure play experience,” the firm added. “The Furby Connect toy and Furby Connect World app were not designed to collect users’ name, address, online contact information (e.g., user name, email address, etc.) or to permit users to create profiles to allow Hasbro to personally identify them, and the experience does not record your voice or otherwise use your device’s microphone.”
Available from: Argos, Amazon, Toys R Us, Smyths
i-Que Intelligent Robot
It's billed as the 'ultimate robot' that talks back to you, it comes with sound affects and you can even ask it questions or get it to tell you jokes. It's been around for a while and uses Bluetooth to pair with your smart device. It's sold as having internet safe search filters. It's designed for ages four years and over.
Made by Genesis Toys, this brightly coloured robot talks back to you, spits sound effects and can even tell some (pretty dire) jokes. Our German sister consumer organisation, Stiftung Warentest, found that it uses Bluetooth to pair with a phone or tablet, but the connection is unsecured. In fact, anyone can download the app, find an i-Que within Bluetooth range and start chatting by typing into a text field (see more in the video report above). Worse still, the robot speaks in its own voice and so, if the child has played with it for a while, they could be more willing to trust it.
Vivid Toys, UK distributor of i-Que, told us that it takes reports of security issues with the i-Que “very seriously”, although it said that “there have been no reports of these products being used in a malicious way”. Vivid said that it will take our recommendation about adding Bluetooth authentication to Genesis Toys and “actively pursue this matter with them directly”. It added: “The connected toys distributed by Vivid fully comply with essential requirements of the Toy Safety Directive and harmonised European standards, and (we) consider these product to be safe for consumers to use when following the user instructions.”
Available from: Argos, Hamleys, online
CloudPets is a stuffed toy that enables family and friends to send messages to a child, played back on a built-in speaker. It comes in dog, bunny, cat and bear varieties. With some knowledge, someone can hack the toy and make it play their own voice messages. In a previous investigation, we hacked the kitten version and made it order itself some cat food from a nearby Amazon Echo (see more in the video below). We were able to connect to the toy's unsecured Bluetooth connection from even outside in the street.
CloudPets maker, Spiral Toys, has not yet made a public comment on CloudPets' Bluetooth vulnerabilities. However, it did respond about a separate data breach earlier in 2017, stating: “Protecting our user’s privacy is very important to us, particularly when children are involved. We’re taking several steps to make sure that your account and recordings are safe."
Available from:Amazon, online
This cuddly, cute looking teddy with a red heart on its chest enables the child to send and receive personal recorded messages over Bluetooth via a smartphone or tablet app. Stiftung Warentest found that the Bluetooth lacks any authentication protections, meaning strangers can also send their voice messages to the child, and receive answers back.
Toy-Fi is also made by Spiral Toys, who has not commented on the vulnerability.
Available from:Amazon, online
Who doesn't want a pet dog? WowWee Chip is the answer. This super cute dog bills it as a 'smart and loveable robot dog'. Controlled by a watch your child will wear, he'll follow their commands, adapt to their personality and even comes with a 'Smartball' to play fetch with. It's designed for ages 8 years or over.
This toy has the same Bluetooth vulnerabilities as the others featured here but hackers can only take remote control of the toy, rather than speak to the child.
Available from:Argos, Amazon, Toys R Us, online
Connected toys: What we're calling for
In 1967, Which? successfully campaigned to promote the use of lead-free paint in toys. Some 50 years on and we feel unsecured connected toys pose an equally important risk.
Which? feels that more care needs to be taken when designing smart gadgets and toys, and the security and privacy of the user should not be left as afterthoughts. Manufacturers and retailers must take the security of internet-enabled and smart products seriously by incorporating it as a top priority from the outset
We're calling for all connected toys with proven security or privacy issues to be taken off sale.
Alex Neill, Which? Managing Director of Home Products and Services, said: “Connected toys are becoming increasingly popular, but as our investigation shows, anyone considering buying one should apply a level of caution.
“Safety and security should be the absolute priority with any toy. If that can’t be guaranteed, then the products should not be sold.”
Could your baby monitor be hacked?
In our lab, we test many smart products for how they might impact on your family’s privacy and security. Baby monitors are one example.
Having your baby monitor hacked is the last thing on your mind when choosing which one to buy, but our snapshot investigation revealed there are valid concerns about some models which you need to be aware of before you buy one.
In each of our latest baby monitors reviews we provide a privacy rating, which gives you an indication of how secure the baby monitor is, based on an assessment of: privacy settings, how complicated the security features are to set up, whether or not any data is encrypted, and the security of any cameras and videos or images.