Popular Smart Toys Still Bring Considerable Security Risks, Warns Consumer Group

Two years after its first report on the security flaws of smart toys, consumer group Which? is again sounding the alarm: buying a connected toy may put your child or even your entire family at risk of a third party exploiting the toy’s vulnerabilities.

And some popular smart toys currently sold online have plenty of vulnerabilities, Which? reports. Partnering with security testing, audit and compliance experts NCC Group, Which? tested some of the most popular and best-reviewed smart toys on Amazon, Argos, John Lewis and Smyths. They concluded that many of them, despite claiming to be safe, “lack in basic security.”

Singing Machine SMK250PP karaoke machine and a karaoke microphone sold on Amazon by retailer TENVA uses a Bluetooth connection to allow streaming of audio from a phone or other device straight onto the machine.

Both toys automatically connect without authentication when a Bluetooth streaming device initiates a connection, meaning a stranger could use either one to play audio to the child at the other end of the line, on the condition that the stranger is within the 10-meter signal range.

Because they connect without authentication, both toys could be used for a second-order attack, where someone could use them to exploit another voice-controlled device, like Amazon Echo, or to control connected devices like a smart door lock, Which? says.

The Vtech KidieGear walkie talkie is partially correct in claiming to come with encrypted digital communication, the report notes. However, there’s a 30-second window to pair one walkie talkie to the other in the set. That could allow a stranger to easily pair their own device to the child’s, as the connection doesn’t require authentication. This would mean a stranger could hold conversations with the child from a distance of up to 200 meters – a scary prospect for any parent.

Vtech says that the so-called security flaw isn’t much of a flaw, since there are too many “ifs” to the scenario. Moreover, once both walkie talkies are paired, a third can’t connect to the child’s device. Vtech stresses that the walkie talkies use industry standard AES encryption to communicate and are as safe as they claim.

Two other toys, the Mattel FFB15 Bloxels Build Your Own Video Game and the Sphero Mini interactive toy, allow uncensored content to be posted to the online platform of the companion app. That means that someone could upload content, including graphic language and offensive images, to the platform and it would instantly become available to the entire community, because whatever filtering system the respective platforms have is not working accordingly.

The good news is that one of “the hotly tipped toys of Christmas 2019,” the Rizmo, is safe. It lacks connectivity, so all exchange is exclusively between the child and the toy. The bad news is that the flaws in other toys exposed in this new set of tests are “depressingly simple” and should not appear in big brand names selling highly-rated toys.

Which? advises shoppers to buy smart toys only with proper consideration and after serious research. Before you head out to buy your kid the latest gadget you’ve seen on TV, read up on it to find out how the child can interact with the toy and, more importantly, if it has ever raised privacy concerns.

When in doubt, choose a non-smart toy over a smart one. If you’ve done the research and you still opt for a connected toy, choose strong passwords, limit the amount of data you share, and always keep an eye on the child when they’re playing with it. When it’s not in use, switch it off completely.