The Biggest & Best Portal to the Professional Property, Workplace and Built Environment Community

Sunday, 25 February

If Dolly Can Be Hacked, What About The Hand Dryer?

 

Connected toys with Bluetooth, wi-fi and mobile apps may seem like the perfect gift for Christmas. But Which? has found that, without appropriate safety features, they can also pose a big risk to a child’s safety. 

Watch the video below to see just how easy it is for anyone to take over the voice control of a popular connected toy - and then ask the question - if it's that easy, what IoT installs in your building are as vulnerable (and should you be copying this article to all staff as a Christmas present warning - you have our permission by whatever means you choose).

Which? also say they are not talking about professional hackers, claiming it’s easy enough for almost anyone to do.

 

Connected toys safety

Over the past 12 months, Which?, in collaboration with consumer organisations and security research experts, has conducted investigations into popular Bluetooth or Wi-Fi toys on sale at major retailers. Here, we present findings on just four – the Furby Connect, I-Que Intelligent Robot, Toy-fi Teddy, and CloudPets cuddly toy:

  • In all cases, it was found to be far too easy for someone to use the toy to talk to a child.
  • Each time, the Bluetooth connection had not been secured, meaning that person didn’t need a password, PIN code or any other authentication to get access. That person would need hardly any technical know-how.
  • Bluetooth has a range limit, usually 10 metres, so the immediate concern would be someone with malicious intentions nearby. However, there are methods for extending Bluetooth range and it’s possible someone could set up a mobile system in a vehicle to trawl the streets hunting for unsecured toys.

 

Connected toys that are easily hacked

I-Que Intelligent Robot Available from: Argos, Hamleys, online

Made by Genesis Toys, this brightly coloured robot talks back to you, spits sound effects and can even tell jokes.

The German consumer organisation, Stiftung Warentest, found that it uses Bluetooth to pair with a phone or tablet, but the connection is unsecured. In fact, anyone can download the app, find an i-Que within Bluetooth range and start chatting by typing into a text field (see more in the video report ).

Worse still, the robot speaks in its own voice and so, if the child has played with it for a while, they could be more willing to trust it.

Vivid Toys, UK distributor of i-Que, told Which? that it takes reports of security issues with the i-Que ‘very seriously’, although it said that ‘there have been no reports of these products being used in a malicious way’. Vivid said that it will take our recommendation about adding Bluetooth authentication to Genesis Toys and ‘actively pursue this matter with them directly’. It added: ‘The connected toys distributed by Vivid fully comply with essential requirements of the Toy Safety Directive and harmonised European standards, and (we) consider these product to be safe for consumers to use when following the user instructions.’

 

Furby Connect

Available from: Argos, Amazon, Toys R Us, Smyths.

Which? asked information security experts, Context IS, to assess the security of the popular Furby Connect talking toy – and the news wasn’t good. Just like the i-Que, anyone within Bluetooth range can connect to the toy when its switched on, with no physical interaction required. This is because it does not use any security features when pairing. Plus, you can make the connection via a laptop, opening up more opportunities to control the toy.

Context IS was able to build upon some previous work by Florian Euchner (see https://github.com/Jeija/bluefluff) to upload and play a custom audio file on the Furby. This audio file could be anything, including inappropriate material. While Which? could not turn the Furby into a listening device in the time available, Context IS believes this is possible if someone was able to re-engineer its firmware due to another vulnerability found in the toy’s design (which we will not be publishing).

Context IS feels it is possible to add more security to the toy via the standard Bluetooth bonding procedure that exchanges an encryption key (LTK) with the phone or tablet during initial set-up. It is possible to remove the firmware vulnerability, too.   

Furby-maker Hasbro told Which? that while it takes the report ‘very seriously’, it feels that the vulnerabilities exposed would require someone to be in close proximity to the toy and posses the technical knowledge to re-engineer the firmware.

‘We feel confident in the way we have designed both the toy and the app to deliver a secure play experience,’ the firm added. ‘The Furby Connect toy and Furby Connect World app were not designed to collect users’ name, address, online contact information (eg, user name, email address, etc.) or to permit users to create profiles to allow Hasbro to personally identify them, and the experience does not record your voice or otherwise use your device’s microphone.’

 

CloudPets

Available from: Amazon, online.

CloudPets is a stuffed toy that enables family and friends to send messages to a child, played back on a built-in speaker. It comes in dog, bunny, cat and bear varieties. With some knowledge, someone can hack the toy and make it play their own voice messages.

In a previous investigation, Which? hacked the kitten version and made it order itself some cat food from a nearby Amazon Echo (see more in the video below). Which? were able to connect to the toy’s unsecured Bluetooth connection from even outside in the street.

CloudPets maker, Spiral Toys, has not yet made a public comment on CloudPets’ Bluetooth vulnerabilities. However, it did respond about a separate data breach earlier in 2017, stating: ‘Protecting our user’s privacy is very important to us, particularly when children are involved. We’re taking several steps to make sure that your account and recordings are safe.’

With the regards the Echo, Amazon told said: ‘To shop with Alexa, customers must ask Alexa to order a product and then confirm the purchase with a “yes” response to purchase via voice. If you asked Alexa to order something by accident, simply say “no” when asked to confirm. You can also manage your shopping settings in the Alexa app, such as turning off voice purchasing or requiring a confirmation code before every order. Additionally, orders placed with Alexa for physical products are eligible for free returns.’

 

Toy-fi Teddy

Available from: Amazon, online.

This cuddly, cute-looking teddy with a red heart on its chest enables the child to send and receive personal recorded messages over Bluetooth via a smartphone or tablet app. However, again, Stiftung Warentest found that the Bluetooth lacks any authentication protections, meaning strangers can also send their voice messages to the child and receive answers back.

Toy-Fi is also made by Spiral Toys, which has not commented on the vulnerability.

Stiftung Warentest has also tested the Wowee Chip, which has the same Bluetooth vulnerabilities but hackers can only take remote control of the toy, not speak to the child. It looked at the Fisher-Price Smart Toy Bear and Mattel Hello Barbie to test for for security issues, too. The findings weren’t as concerning as those above, but both toys have hit the media previously with alleged hacking risks.

 

My Friend Cayla

Last year, Germany’s telecoms watchdog ordered parents with the My Friend Cayla talking to doll to destroy it as it could be used to ‘illegally spy’ on children. This followed researchers and consumer groups having expressed concern that access to the doll was completely unsecured, in a similar way to the findings above.

The German Federal Network Agency classified Cayla as an ‘illegal espionage apparatus’, this means that in Germany retailers could be fined if they continued to sell it or failed to disable its wireless connection before sale.

 Like the I-Que, My Friend Cayla is manufactured by Genesis Toys and distributed in Europe by the Vivid Toy Group.

Which?'s US colleagues, Consumer Reports, has previously filed complaints in America about I-Que and Cayla. In July 2017, the FBI took the step of issuing a warning about connected toys in general, stating that: ‘Security safeguards for these toys can be overlooked in the rush to market them and to make them easy to use.’

 In the cases featured above, the security could have been increased with proper authentication on the Bluetooth connection. With toys such as the Furby, this is possible via a firmware update.

 

Connected toys: What we’re calling for

In 1957, Which? successfully campaigned to promote the use of lead-free paint in toys. Nearly 60 years on and Which? feel unsecured connected toys pose a different but equally important risk to children.

Which? are calling for all connected toys with proven security or privacy issues to be taken off sale. 

Picture: The robot in our video below is not the only connected toy parents need to be wary of this Christmas - and should FM's be as concerned about easy to hack IoT in their buildings?

Article written by Andrew Laughlin of Which?

Share



Related Articles

Yahoo Cyber Breach Was Bigger

Yahoo has announced (week ending Oct 6) that it is providing notice to additional user accounts affected by an August 2013 data theft previously disclosed by the company...

 Read Full Article
Do You Do Data? EU GDPR to Enter British Law

In a statement of intent (made on Monday 7), the government has committed to updating and strengthening data protection laws through a new Data Protection Bill. The...

 Read Full Article
What's Up Docs?

A Google spokesperson has told ThisWeekinFM: “We realise people are concerned about their Google accounts and we're now able to give a fuller explanation after...

 Read Full Article
Square Mile To Get World-class Wireless Network

Residents, employees and visitors to the City of London will be able to use a new 'world-class' wireless network this year as proposals to expand free Wi-Fi and...

 Read Full Article
Get Safe Online Week 2015

The UK public has been left feeling vulnerable following an increase in highly personalised cybercrimes according to Get Safe Online, the joint public private internet...

 Read Full Article
Not Smart to Block Wi-Fi

US firm Smart City has been forced to reach an agreement with the FCCEB to stop blocking consumers using their own data plans and forcing them on to paid wi-fi use at...

 Read Full Article
Count-down to Disaster - NCA Opens Two Week Window to Prevent UK-wide £Millions Fraud

The UK's national Crime Agency (NCA) yesterday announced a two week opportunity to reduce a threat from a powerful new computer attack. It urged businesses and...

 Read Full Article
On Trend - Can Hackers Turn The Heat Off?

Ken Munro of Pan Test Partners has written a blog - the original of which and more pictures can be accessed if you Click Here  Munro says he has found...

 Read Full Article
Andromeda Strained - International Cyber Op Dismantles Botnet

On November 29, the Federal Bureau of Investigation, in close cooperation with the Luneburg Central Criminal Investigation Inspectorate in Germany, Europol’s...

 Read Full Article
McDonalds Security Contractor In 'Remove Your Hijab' Scandal

Thursday evening, November 30, McDonalds Restaurants discovered the hard way that a relationship with a contractor - in this case, employing cheap, untrained security...

 Read Full Article