The Leading News & Information Service For The Facilities, Workplace & Built Environment Community

If Dolly Can Be Hacked, What About The Hand Dryer?

17 November 2017 | Updated 01 January 1970
 

 

Connected toys with Bluetooth, wi-fi and mobile apps may seem like the perfect gift for Christmas. But Which? has found that, without appropriate safety features, they can also pose a big risk to a child’s safety. 

Watch the video below to see just how easy it is for anyone to take over the voice control of a popular connected toy - and then ask the question - if it's that easy, what IoT installs in your building are as vulnerable (and should you be copying this article to all staff as a Christmas present warning - you have our permission by whatever means you choose).

Which? also say they are not talking about professional hackers, claiming it’s easy enough for almost anyone to do.

 

Connected toys safety

Over the past 12 months, Which?, in collaboration with consumer organisations and security research experts, has conducted investigations into popular Bluetooth or Wi-Fi toys on sale at major retailers. Here, we present findings on just four – the Furby Connect, I-Que Intelligent Robot, Toy-fi Teddy, and CloudPets cuddly toy:

  • In all cases, it was found to be far too easy for someone to use the toy to talk to a child.
  • Each time, the Bluetooth connection had not been secured, meaning that person didn’t need a password, PIN code or any other authentication to get access. That person would need hardly any technical know-how.
  • Bluetooth has a range limit, usually 10 metres, so the immediate concern would be someone with malicious intentions nearby. However, there are methods for extending Bluetooth range and it’s possible someone could set up a mobile system in a vehicle to trawl the streets hunting for unsecured toys.

 

Connected toys that are easily hacked

I-Que Intelligent Robot Available from: Argos, Hamleys, online

Made by Genesis Toys, this brightly coloured robot talks back to you, spits sound effects and can even tell jokes.

The German consumer organisation, Stiftung Warentest, found that it uses Bluetooth to pair with a phone or tablet, but the connection is unsecured. In fact, anyone can download the app, find an i-Que within Bluetooth range and start chatting by typing into a text field (see more in the video report ).

Worse still, the robot speaks in its own voice and so, if the child has played with it for a while, they could be more willing to trust it.

Vivid Toys, UK distributor of i-Que, told Which? that it takes reports of security issues with the i-Que ‘very seriously’, although it said that ‘there have been no reports of these products being used in a malicious way’. Vivid said that it will take our recommendation about adding Bluetooth authentication to Genesis Toys and ‘actively pursue this matter with them directly’. It added: ‘The connected toys distributed by Vivid fully comply with essential requirements of the Toy Safety Directive and harmonised European standards, and (we) consider these product to be safe for consumers to use when following the user instructions.’

 

Furby Connect

Available from: Argos, Amazon, Toys R Us, Smyths.

Which? asked information security experts, Context IS, to assess the security of the popular Furby Connect talking toy – and the news wasn’t good. Just like the i-Que, anyone within Bluetooth range can connect to the toy when its switched on, with no physical interaction required. This is because it does not use any security features when pairing. Plus, you can make the connection via a laptop, opening up more opportunities to control the toy.

Context IS was able to build upon some previous work by Florian Euchner (see https://github.com/Jeija/bluefluff) to upload and play a custom audio file on the Furby. This audio file could be anything, including inappropriate material. While Which? could not turn the Furby into a listening device in the time available, Context IS believes this is possible if someone was able to re-engineer its firmware due to another vulnerability found in the toy’s design (which we will not be publishing).

Context IS feels it is possible to add more security to the toy via the standard Bluetooth bonding procedure that exchanges an encryption key (LTK) with the phone or tablet during initial set-up. It is possible to remove the firmware vulnerability, too.   

Furby-maker Hasbro told Which? that while it takes the report ‘very seriously’, it feels that the vulnerabilities exposed would require someone to be in close proximity to the toy and posses the technical knowledge to re-engineer the firmware.

‘We feel confident in the way we have designed both the toy and the app to deliver a secure play experience,’ the firm added. ‘The Furby Connect toy and Furby Connect World app were not designed to collect users’ name, address, online contact information (eg, user name, email address, etc.) or to permit users to create profiles to allow Hasbro to personally identify them, and the experience does not record your voice or otherwise use your device’s microphone.’

 

CloudPets

Available from: Amazon, online.

CloudPets is a stuffed toy that enables family and friends to send messages to a child, played back on a built-in speaker. It comes in dog, bunny, cat and bear varieties. With some knowledge, someone can hack the toy and make it play their own voice messages.

In a previous investigation, Which? hacked the kitten version and made it order itself some cat food from a nearby Amazon Echo (see more in the video below). Which? were able to connect to the toy’s unsecured Bluetooth connection from even outside in the street.

CloudPets maker, Spiral Toys, has not yet made a public comment on CloudPets’ Bluetooth vulnerabilities. However, it did respond about a separate data breach earlier in 2017, stating: ‘Protecting our user’s privacy is very important to us, particularly when children are involved. We’re taking several steps to make sure that your account and recordings are safe.’

With the regards the Echo, Amazon told said: ‘To shop with Alexa, customers must ask Alexa to order a product and then confirm the purchase with a “yes” response to purchase via voice. If you asked Alexa to order something by accident, simply say “no” when asked to confirm. You can also manage your shopping settings in the Alexa app, such as turning off voice purchasing or requiring a confirmation code before every order. Additionally, orders placed with Alexa for physical products are eligible for free returns.’

 

Toy-fi Teddy

Available from: Amazon, online.

This cuddly, cute-looking teddy with a red heart on its chest enables the child to send and receive personal recorded messages over Bluetooth via a smartphone or tablet app. However, again, Stiftung Warentest found that the Bluetooth lacks any authentication protections, meaning strangers can also send their voice messages to the child and receive answers back.

Toy-Fi is also made by Spiral Toys, which has not commented on the vulnerability.

Stiftung Warentest has also tested the Wowee Chip, which has the same Bluetooth vulnerabilities but hackers can only take remote control of the toy, not speak to the child. It looked at the Fisher-Price Smart Toy Bear and Mattel Hello Barbie to test for for security issues, too. The findings weren’t as concerning as those above, but both toys have hit the media previously with alleged hacking risks.

 

My Friend Cayla

Last year, Germany’s telecoms watchdog ordered parents with the My Friend Cayla talking to doll to destroy it as it could be used to ‘illegally spy’ on children. This followed researchers and consumer groups having expressed concern that access to the doll was completely unsecured, in a similar way to the findings above.

The German Federal Network Agency classified Cayla as an ‘illegal espionage apparatus’, this means that in Germany retailers could be fined if they continued to sell it or failed to disable its wireless connection before sale.

 Like the I-Que, My Friend Cayla is manufactured by Genesis Toys and distributed in Europe by the Vivid Toy Group.

Which?'s US colleagues, Consumer Reports, has previously filed complaints in America about I-Que and Cayla. In July 2017, the FBI took the step of issuing a warning about connected toys in general, stating that: ‘Security safeguards for these toys can be overlooked in the rush to market them and to make them easy to use.’

 In the cases featured above, the security could have been increased with proper authentication on the Bluetooth connection. With toys such as the Furby, this is possible via a firmware update.

 

Connected toys: What we’re calling for

In 1957, Which? successfully campaigned to promote the use of lead-free paint in toys. Nearly 60 years on and Which? feel unsecured connected toys pose a different but equally important risk to children.

Which? are calling for all connected toys with proven security or privacy issues to be taken off sale. 

Picture: The robot in our video below is not the only connected toy parents need to be wary of this Christmas - and should FM's be as concerned about easy to hack IoT in their buildings?

Article written by Andrew Laughlin of Which? | Published 17 November 2017

Share



Related Articles

Is 5G the Catalyst Needed to Fight Climate Change?

The accelerated roll-out of 5G connectivity across Europe and the UK will have an immediate and catalysing impact in reducing CO2 emissions, according to a new study...

 Read Full Article
The Speechmark Makes You Speechless

Fronted by curved glass and framed in slate black, The Speechmark is arguably now one of the most striking buildings in Southwark – an area of London already...

 Read Full Article
To Have And To Have Not - Connectivity Not Always A Given

BT may have decided that all its offices need to have super-fast connectivity but that is not a luxury all London landlords can offer, writes Nick Dutfield. Arguably...

 Read Full Article
Sky's The Limit For London’s Badly Connected Streets

Smart and even the not so smart buildings critically require superfast connectivity but there is one particular place in the UK that fails to deliver - London! Going...

 Read Full Article
Strict Data Diet Required To Banish Holiday Blues

Lots of people have only just returned to work in the week commencing January 7. Many will be planning dry-Januarys and diets - but how many could do with cutting down on...

 Read Full Article
A Smart Move - Engie Buys Smart Buildings Firm

On the eve of the Smart Buildings Show at London's Barbican Centre, Engie acquired Smart Buildings Ltd, a company that specialises in smart buildings...

 Read Full Article
Broadband Speeds 51% Slower Than Advertised

Homeworkers are paying for broadband services that are on average 51% slower than advertised, according to new Which? analysis. Results generated from 235,000 uses of...

 Read Full Article
Rates Exemption To Encourage Broadband Rollout

Exempting new broadband fibre from business rates will give businesses across England better broadband according to Ministry of Housing, Communities & Local...

 Read Full Article
Hacking Made Easy - Wi-Fi Makes Mobile Malicious

Most companies suspect their mobile workers have been hacked with cafes seeing highest number of Wi-Fi related incidents according to the latest iPass Mobile Security...

 Read Full Article
ISS Partners With ToolSense to Digitise Asset Operations

ISS has established a new global strategic partnership with tech startup company ToolSense to help their employees manage moveable assets such as vacuum cleaners and...

 Read Full Article