The Independent's journalism is supported by our readers. When you purchase through links on our site, we may earn commission.

Children could be contacted by strangers through cameras and microphones on smart toys, Which? finds

Consumer watchdog is calling on toys industry to ensure products are secure before being sold

Sarah Young
Tuesday 10 December 2019 11:07 GMT

Children are at risk of being contacted by strangers through smart toys, an investigation has found.

Consumer watchdog Which? has found security flaws in a number of popular children’s toys, including walkie talkies and karaoke machines, which could leave them open to being hacked by other users.

The group tested seven popular devices with the help of cyber security experts NCC Group which assessed the toys for whether they could be exploited to pose a risk to the child and/or parents.

The researchers performed a variety of tests, ranging from an assessment of software vulnerabilities to a full hardware teardown to investigate how the toys have been made.

Out of the seven toys, Which? states that three have the potential to be exploited so a stranger could communicate with a child, including Vtech’s KidiGear Walkie Talkies which could enable someone to start a two-way conversation with a child from a distance of up to 200m (656ft).

In a statement, Vtech said pairings could not occur if the child’s walkie talkie was already linked to another device, such as one used by a sibling or parent.

“Further to the recent Which? findings, we would like to reassure consumers on the safety of the VTech KidiGear Walkie Talkies which use the industry standard AES encryption to communicate,” Vtech said.

“The pairing of KidiGear Walkie Talkies cannot be initiated by a single device. Both devices have to start pairing at the same time within a short 30-second window in order to connect.”

Similarly, a karaoke microphone, sold by Xpassion/Tenva, and the Singing Machine SMK250PP, could allow people within 10m (32.8ft) of them to send recorded messages as the devices’ Bluetooth connection has no authentication feature.

In a statement, the company said: “Safety is top priority with every Singing Machine product produced, as demonstrated by our 37-year history without a product recall.

”We follow industry best practices as well as all applicable safety and testing standards.“

Two more of the products tested – Bloxels, a physical and online video game builder, and coding game Sphero Mini – were found to have no filter to prevent explicit language or offensive images being uploaded to their online public platforms.

Which? also found several toys that could potentially be hacked due to users not having strong passwords for online accounts, meaning their personal data could be at risk.

The Boxer Robot, an interactive artificial intelligence robot, Bloxels, Sphero Mini and the Singing Machine were all found to have security issues which leave them open to online hacking.

Following its findings, Which? is calling on a number of retailers – including John Lewis, Amazon, Argos and Smyths toy store – to remove any affected smart toys from its shelves and asking the government to make it mandatory for manufacturers to ensure such products meet appropriate security standards before they go on sale.

”In some of the toys that we found, the major concern was that someone else could connect to the toy and actually start a two-way conversation with the child and this could be up to 200 metres away from the toy itself,” Neena Bhati, head of campaigns at Which? told SkyNews.

Which? warns that a stranger could contact a child using the Vtech KidiGear walkie-talkies

“This is quite concerning because parents might not always be around while their children are playing with these products, therefore not know what’s happening with the child and whether its communicating with anyone else – that can be quite dangerous.”

An Amazon spokesman told The Independent that the retailer requires all products “to comply with applicable laws and regulations”, and that it “proactively monitors multiple sources for safety notifications”.

A John Lewis spokesperson added that while it sells just one of the toys mentioned in the Which report – the Sphero Mini – it “takes the security and privacy of connected devices very seriously”.

“In the last year, we have been working with the Department for Digital, Culture, Media & Sport to explore how we can best support the voluntary code of practice which improves the security of connected technology products.”

In 2018, the National Cyber Security Centre (NCSC) issued new guidance calling on manufacturers to ensure devices sold to British families are secure.

The Singing Machine does not require authentication, such as a Pin code, for its Bluetooth connection

The move came after vulnerabilities in children’s products included one that could let attackers obtain audio from a baby monitor or “inject fake information about the position and temperature” of an infant on an activity tracker.

“Poorly secured devices can threaten individuals’ privacy, compromise their network security, their personal safety and could be exploited as part of large-scale cyberattacks,” a spokesperson said.

“Recent high-profile breaches putting people’s data and security at risk include attacks on smart watches, CCTV cameras and children’s toys.”

The Independent has contacted Argos and Smyths for comment.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in