Jump directly to the content
TOY WARNING

Experts hacked into top Xmas smart toys to show how vulnerable they are to cyber predators

MANY of this year’s top Christmas smart toys could be used to spy on your kids or allow strangers to talk to them, security experts have warned.

Independent security researcher, Sarah Jamie Lewis, tested six popular gadgets and found that it was "shockingly simple" to take control of any toy with a wifi of Bluetooth connection.

BB-8 App-Enabled Droid (£119.99): While it’s technically possible an attacker could use its sensors to map a room, a more likely outcome would be to cause the toy to act as a strobe at a fast frequency
6
BB-8 App-Enabled Droid (£119.99): While it’s technically possible an attacker could use its sensors to map a room, a more likely outcome would be to cause the toy to act as a strobe at a fast frequencyCredit: Cascade News
Q50 Smart Tracking Watch (£28.69): With no authentication and encryption, it’s simple for a hacker to impersonate a child’s parents by sending fake messages
6
Q50 Smart Tracking Watch (£28.69): With no authentication and encryption, it’s simple for a hacker to impersonate a child’s parents by sending fake messagesCredit: Cascade News

These included the Q50 smart tracking watch, the Star Wars BB-8 droid, the Mass Effect: Andromeda RC car, the Sky Viper drone, AirHogs car and the Cognitoys Dino.

All these toys have unsecured Bluetooth or wifi connections, meaning the security testers were not required to supply a password or PIN to gain access to the device.

For example, the Q50 smart tracking had fundamental security flaws that would allow a stranger to pose as a parent and send fake messages or SMS alerts to a child.

The research also revealed that the Star Wars BB-8 droid, like most Bluetooth devices, had "no authentication mechanism".

This means it’s technically possible an attacker could use the toy's sensors to map a room.

Fortunately for parents, a more likely outcome would be to cause the toy to act as a strobe at a fast frequency.

The Mass Effect: Andromeda RC car is also at high risk of hacking – taking just 14 minutes to compromise.

This would allow hackers to intercept live video streams using the built-in camera and infect the toy with malware via dodgy software updates.

Sky Viper v2400 HD Streaming Drone (£99.99 ): A hacker can easily intercept live video streams and snoop through previously stored video and images
6
Sky Viper v2400 HD Streaming Drone (£99.99 ): A hacker can easily intercept live video streams and snoop through previously stored video and imagesCredit: Cascade News
Mass Effect: Andromeda NOMAD ND1 RC Car (£199.99): It takes just 14 minutes for an attacker to take complete control of the car due to a lack of authentication and encryption
6
Mass Effect: Andromeda NOMAD ND1 RC Car (£199.99): It takes just 14 minutes for an attacker to take complete control of the car due to a lack of authentication and encryptionCredit: Cascade News
Cognitoys Dino (£99.99): The educational Cognitoys Dino leaves communications open to interception
6
Cognitoys Dino (£99.99): The educational Cognitoys Dino leaves communications open to interceptionCredit: Cascade News
AirHogs FPV High Speed Race Car (£99.99): This toy requires no hacking experience to access its onboard camera.
6
AirHogs FPV High Speed Race Car (£99.99): This toy requires no hacking experience to access its onboard camera.Credit: Cascade News

Most of these gadgets, which connect to the internet via Bluetooth or wifi, are sold at major retailers including Argos, Amazon and Currys.

Sarah Jamie Lewis said: "It was shockingly simple to take full control of these toys and intercept video feeds from onboard cameras within minutes.

"This opens up a number of frightening scenarios where anyone, even a stranger driving around in a car, can discover these vulnerable Wi-Fi enabled toys, and can hack into these devices with the intent of violating a child's privacy or worse."

The Sun Online has contacted all the manufacturers of the toys with high-risk security bugs but none has responded.

Elemental Path, the brand behind the CogniToys Dino denied the claims in the research.

A spokesperson said: "The statement that the wifi passwords and voice data are exposed and that "strangers can listen in" is absolutely false.

"When we built out the toy, we made several security conscious decisions trying to balance out ease of use for the parent, depth of activity for the child, privacy of the parent and child, and of course, the security of the platform as a whole.

"Any recordings made are encrypted and streamed and not stored on the device at all. The keys used for each session are unique to each and the keys themselves are individually cycled as so no two toy will ever have the same set of keys."

GOOD CALL Here’s how old your kids should be before you get them a mobile phone… and how to keep them safe once they have one

Simon Migliano, from comparison website Top10VPN.com, which commissioned the research, said the findings must serve as a wake-up call to the toys industry and regulators to prevent children from being put at risk.

"Until there is a security standard that must be met by all connected toy manufacturers, we would urge parents to think very carefully about buying any smart products for their children," he said.

"It’s easy to get caught up in the fun of toys that have increasingly sophisticated functionality built in, but given what we’ve managed to do with the six toys we tested, as a parent myself, I certainly would not expose my children to this kind of danger," he added.

The discoveries come in the wake of serious warnings about smart toys from consumer group Which?.

An investigation by the group, found that the Furby Connect, i-Que Intelligent Robot, Toy-fi Teddy and CloudPets could all be accessed via Bluetooth or wifi connections.

More parental advice

Get to know what time children should go to bed according to their age
BEDTIME BLUES

Get to know what time children should go to bed according to their age

Lidl's new festive veg helps kids eat their greens - and they cost 79p each
XMAS VEGGIES

Lidl's new festive veg helps kids eat their greens - and they cost 79p each

Thrifty mum-of-two set to have a FREE Christmas by winning competitions
CASH QUEEN

Thrifty mum-of-two set to have a FREE Christmas by winning competitions

Mum's warning after baby's 'cold' was actually a potentially deadly infection
'GET CHECKED'

Mum's warning after baby's 'cold' was actually a potentially deadly infection

Which? is calling on retailers to stop selling smart toys with known security problems.

Alex Neill, from Which?, said: “Connected toys are becoming increasingly popular, but as our investigation shows, anyone considering buying one should apply a level of caution.

“Safety and security should be the absolute priority with any toy. If that can't be guaranteed, then the products should not be sold.”

It follows similar investigations into smart products, such as the Amazon echo and smart toys.

How to protect smart toys

SMART toys might keep your children occupied, but here's how to minimise the risk of hacking.

  • Don't stick with the default password - Starting with your router, be sure to change the password of every device connected to your broadband. Smart products need an internet connection to function, and all the signals are going through your router. If that's not secure, it could compromise everything on your home network.
  • Complete the set-up: All smart devices should be connected to a secure wi-fi network. This is because many use their own wi-fi during the set-up process which, if left unsecured, is an easy target for attackers located within range of the device
  • Location, location: Be mindful of where devices are located in the home. Those close to windows or behind thin doors can be more easily accessed from outside.
  • Talk to your children. Warn them to tell you about any messages that they get which are from a strangers.
Talking dolls are recording your conversations and passing on data

We pay for your stories! Do you have a story for The Sun Online Money team? Email us at [email protected] or call 0207 78 24516

Topics
YOU MIGHT LIKE
RECOMMENDED FOR YOU
MORE FOR YOU