Smart kids toys sold by retailers including Amazon and Argos vulnerable to hacks

Worrying security flaws that leave children at risk of being contacted by strangers have been found in smart toys in the run-up to Christmas.

Consumer group Which? tested seven smart and internet-enabled kids’ toys and found three were vulnerable to being hacked due to unsatisfactory security.

Which? has urged the next government to make it mandatory for manufacturers to ensure smart products meet appropriate security standards before they go on sale.

Toy manufacturers must show they take the security of internet-enabled and smart products seriously, it said, by introducing basic level security as a first step. 

Scroll down for video  

The Vtech KidiGear Walkie Talkies could allow someone to start a two-way conversation with a child from a distance of up to 200 meters, Which? found

‘While there is no denying the huge benefits smart gadgets can bring to our daily lives, the safety and security of users should be the absolute priority,’ said Natalie Hitchins, Which? head of home products and services. 

‘The next government must ensure manufacturers design connected tech products with security as paramount if it is going to prevent unsecure products ending up in people’s homes.’

Which? investigated seven devices being sold in the run-up to Christmas sold by major retailers including Amazon, Argos, John Lewis and Smyths. 

A security flaw in Vtech’s KidiGear Walkie Talkies could allow a person to start a two-way conversation with a child from a distance of up to 200 metres, it found.

But Hong Kong-based Vtech said in response that the attacker would need to initiate pairing within 30 seconds of a child switching on their device in order to connect.

Children’s karaoke products sold online by Xpassion/Tenva and Singing Machine, meanwhile, were found to have weak Bluetooth security, meaning a person could send recorded messages within 10 metres without protections such as a PIN.

Singing Machine said in response that it follows ‘best practices’ and ‘testing standards’. 

Which? also said that personal data of those who own Singing Machine model SMK250PP, AI-powered Boxer Robot, board game Mattel Bloxels and coding game Sphero Mini is at risk, after finding that users are not required to create strong passwords for user accounts.

Singing Machine model SMK250PP could allow people within 10 meters to send recorded messages to a child because the bluetooth has no authentication

Karaoke microphone, sold online by Xpassion/Tenva, was also lacking in Bluetooth authentication

Bloxels and Sphero Mini also had no filter protections to prevent explicit language or offensive images from being uploaded to their online platforms, Which? added. 

Any child using the public portal or app on these products could then see or hear this content.

The consumer group has called for basic measures such as requiring a unique password before use, data encryption and consistent security updates, as well as appropriate enforcement from government. 

The government’s Department for Digital, Culture, Media & Sport (DCMS) established a new voluntary code in October 2018 to improve the security of connected technology products. 

But most manufacturers have failed to sign up — only three have signed up publicly, Which? claimed — and the threat of unsecure products continues. 

In a statement, John Lewis said: ‘In the last year, we have been working with the Department for Digital, Culture, Media & Sport to explore how we can best support the voluntary code of practice which improves the security of connected technology products.

‘We take the security and privacy of connected devices very seriously.’ 

Which? carried out its investigation in collaboration with security testing, audit and compliance experts NCC Group and has offered consumers advice on how to buy and use smart toys.