Smart toys fall short in basic security measures, consumer group says

Smart toys sold by major retailers including Amazon, Argos, John Lewis and Smyths are vulnerable to HACKING and could enable a stranger to talk to a child, warns consumer watchdog

  • Which? calls for smart toy ban until they pass basic security measures
  • Consumer group exposes security flaws in smart toys before Christmas 
  • Walkie talkies could allow adult to converse with a child from 200 metres away
  • New government urged to make appropriate security standards mandatory

Worrying security flaws that leave children at risk of being contacted by strangers have been found in smart toys in the run-up to Christmas.

Consumer group Which? tested seven smart and internet-enabled kids’ toys and found three were vulnerable to being hacked due to unsatisfactory security.

Which? has urged the next government to make it mandatory for manufacturers to ensure smart products meet appropriate security standards before they go on sale.

Toy manufacturers must show they take the security of internet-enabled and smart products seriously, it said, by introducing basic level security as a first step. 

Scroll down for video  

The Vtech KidiGear Walkie Talkies could allow someone to start a two-way conversation with a child from a distance of up to 200 meters, Which? found

‘While there is no denying the huge benefits smart gadgets can bring to our daily lives, the safety and security of users should be the absolute priority,’ said Natalie Hitchins, Which? head of home products and services. 

‘The next government must ensure manufacturers design connected tech products with security as paramount if it is going to prevent unsecure products ending up in people’s homes.’

Which? investigated seven devices being sold in the run-up to Christmas sold by major retailers including Amazon, Argos, John Lewis and Smyths. 

A security flaw in Vtech’s KidiGear Walkie Talkies could allow a person to start a two-way conversation with a child from a distance of up to 200 metres, it found.

But Hong Kong-based Vtech said in response that the attacker would need to initiate pairing within 30 seconds of a child switching on their device in order to connect.

Children’s karaoke products sold online by Xpassion/Tenva and Singing Machine, meanwhile, were found to have weak Bluetooth security, meaning a person could send recorded messages within 10 metres without protections such as a PIN.

Singing Machine said in response that it follows ‘best practices’ and ‘testing standards’. 

Which? also said that personal data of those who own Singing Machine model SMK250PP, AI-powered Boxer Robot, board game Mattel Bloxels and coding game Sphero Mini is at risk, after finding that users are not required to create strong passwords for user accounts.

Singing Machine model SMK250PP could allow people within 10 meters to send recorded messages to a child because the bluetooth has no authentication

Karaoke microphone, sold online by Xpassion/Tenva, was also lacking in Bluetooth authentication

Bloxels and Sphero Mini also had no filter protections to prevent explicit language or offensive images from being uploaded to their online platforms, Which? added. 

Any child using the public portal or app on these products could then see or hear this content.

The consumer group has called for basic measures such as requiring a unique password before use, data encryption and consistent security updates, as well as appropriate enforcement from government. 

The government’s Department for Digital, Culture, Media & Sport (DCMS) established a new voluntary code in October 2018 to improve the security of connected technology products.

But most manufacturers have failed to sign up — only three have signed up publicly, Which? claimed — and the threat of unsecure products continues. 

Which? carried out its investigation in collaboration with security testing, audit and compliance experts NCC Group and has offered consumers advice on how to buy and use smart toys. 


1. Read the description of the connected toy carefully in the shop or online. Find out what the toy actually does and how your child will interact with it. Toys such as the Rizmo — an interactive cuddly toy that was also tested and didn’t raise concerns — don’t require an external network connection or mobile app, and so the risk to your child is lower. 

2. Search online to see if there have been any security concerns raised about the toy previously, such as a leak of personal data. If you are at all concerned, consider a non-smart toy instead. 

3. If you do buy a smart toy, submit only the minimal amount of personal data required when setting up an account for your child. So, not too much data is exposed if things do go wrong. Do set strong passwords, though, to ensure any accounts are properly protected. 

4. Keep an eye on your child when they’re playing with the smart toy, particularly if it can send or receive messages. It is not advisable to leave them unsupervised. 

5. When your child is not playing with the smart toy, make sure you turn it off completely so that it is not vulnerable to being exploited.

Source: Which?  

Source: Read Full Article