Smart toys at top of Christmas lists vulnerable to being hacked says Which?
Which? has called on retailers including Amazon, Argos, John Lewis and Smyths to withdraw a number of smart toys from sale after finding many had a troubling lack of inbuild security leaving them open to hackers.
The consumer watchdog tested seven popular toys and found that three had security flaws potentially meaning “someone else could connect to the toy and actually start a two-way conversation with the child”.
A £30 Vtech KidiGear Walkie Talkie device could be hijacked to allow a hacker to have a two-way conversation through the device from 650ft away.
Another two popular karaoke microphone toys reportedly allowed people within 32ft to send recorded messages via a Bluetooth connection
Furthermore, smart toys such as the Bloxels video game builder and Sphero Mini coding game had no filter to prevent explicit languages or offensive images being uploaded to their public platoforms.
“The reality is that all internet connected devices, from mobile phones to smart toys, are vulnerable to some extent,” cyber-security firm Darktrace’s director of threat hunting Max Heinemeyer said.
“The explosion in IoT and the security issues this introduces is forcing us to rethink how we do security. We need a radically different approach to cyber-security with artificial intelligence.
“We have seen some targeted attacks, like those mentioned in the report, against smart phones where users download apps from trusted companies that secretly carry malware which activates, leading to microphones/cameras turning on or private messages being read.”
In response to the report, an Amazon spokesperson told Sky News that it required “all products offered in our store to comply with applicable laws and regulations”.
John Lewis also told the publication that it took “security and privacy of connected devices very seriously”.
It added: “In the last year, we have been working with the Department for Digital, Culture, Media and Sport to explore how we can best support the voluntary code of practice which improves the security of connected technology products.”
Argos and Smyths were yet to respond to request for comment.