Internet-Connected Toys Could Let Hackers Access Your Children

The problem of toys that could be used for spying, tracking and even directly communicating with children thanks to their low hacking security is growing, experts say, even despite Federal Network Agency (FNA) bans on some Internet-connected toys.

In January 2017, the FNA banned My Friend Cayla, a doll distributed in the US by Genesis, and even urged the parents to destroy the dolls entirely: its susceptibility to hacks earned it an official "illegal espionage apparatus" status.

It's December now, so meet Furby, a cute gremlin-like toy which, when hacked, gives a hacker a full access to its microphone so that they can directly talk to children through the toy. Sounds creepy, right?

The doll, manufactured by toy giant Hasbro, can be hacked via Bluetooth by a hacker that is within 100 feet of the toy, a group of researchers from Which?, a British charity, and the German consumer group Stiftung Warentest, have found.

But the threat is not limited to Furby alone. There is also Q50, a smart watch made for children. Initially designed as a parent's aid in tracking their children and even communicating with them directly, they are also a welcome tool for hackers. Poor security allows the malefactor to "intercept all communications, remotely listen to the child's surroundings and spoof the child's location," according to a report by Top10VPN, a consumer research company.

From a technical point of view, many products like My Friend Cayla share the same fundamental flaw, says Sarah Jamie Lewis, an independent cybersecurity researcher. All these toys need to be paired with a Bluetooth device with an internet connection, such as iPhone or an Android phone, to work. However, there is no security feature that restricts the toys to a certain list of trusted devices only. If a user is negligent enough as to not specify the paired device, anyone within 50 feet can use the toy's open Bluetooth connection to exploit it.

The problem has even attracted the attention of the FBI, which has released a set of recommendations on how the parents should use the Internet-connected toys. The FBI urged parents to familiarize themselves with how exactly the toy works: if a toy connects wirelessly through Bluetooth, it should require some type of unique pin or password, to make sure that connection is secure, for example. And if a toy records and stores data, parents should make sure how and where exactly this data is stored and check on how well the toy manufacturer protects the user's personal data.