Thursday, November 16, 2017

Poor security in "Connected" toys

I've been posting about this for some time, so it's good to see other folks chiming in:
A consumer group is urging major retailers to withdraw a number of “connected” or “intelligent” toys likely to be popular at Christmas, after finding security failures that it warns could put children’s safety at risk.  
Tests carried out by Which? with the German consumer group Stiftung Warentest, and other security research experts, found flaws in Bluetooth and wifi-enabled toys that could enable a stranger to talk to a child.  
The investigation found that four out of seven of the tested toys could be used to communicate with the children playing with them. Security failures were discovered in the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy and CloudPets.
A lot of this is basic no-security-on-bluetooth, limiting the range that someone could exploit this to 100 feet or so.  But some is a lot more worrying:
With the i-Que Intelligent Robot, available from Argos and Hamleys, the investigation discovered that anyone could download the app, find an i-Que within their Bluetooth range and start using the robot’s voice by typing into a text field. The toy is made by Genesis, which also manufactures the My Friend Cayla doll, recently banned in Germany owing to security and hacking concerns. Both toys are distributed in the UK by Vivid.

The link at the top of this post is from a year ago, and talks about most of these toys.  A year later, the manufacturer has done nothing to improve the security holes - that tells you everything you need to know about whether you can trust them with your little bundle of joy.

Let me just say that the Northeast Gunbloggers know how to deal with Furbys.  Just sayin'.

1 comment:

Rick C said...

This is another one of those "security wasn't an afterthought. Security was never thought of" situations.