Home / News & Analysis / Bluetooth-Enabled Smart Toys Pose Hacking Risk, Group Warns

Bluetooth-Enabled Smart Toys Pose Hacking Risk, Group Warns

Smart toys can be an appealing gift idea, but be careful: the Bluetooth connectivity in some products can make them easy to hack, according to a consumer watchdog.

On Tuesday, the UK-based group known as Which? claimed that four different smart toys can be hijacked by a stranger to talk to a child: the Furby Connect, the i-Que Intelligent Robot, the Toy-Fi Teddy, and CloudPets.

All four products pair with a smartphone over a Bluetooth connection to relay data. The problem is that the Bluetooth connection is completely open, meaning anyone in range can access the four toys simply by using their smartphone, according to the consumer watchdog.

"In all cases, it was found to be far too easy for someone to use the toy to talk to a child," it claimed.

The hacks have a limitation: a stranger would have to be within Bluetooth range, or about 32 feet, of the toys. Nevertheless, Which? is urging the toy makers to secure their products.

"You wouldn't let a young child play with a smartphone unsupervised and our investigation shows parents need to apply the same level of caution if considering giving a child a connected toy," said Alex Neill, the organization's managing director of home products and services.

Hasbro, the maker behind the Furby Connect, is taking the reported issue "very seriously," but noted that the hack requires the attacker to be both close to the toy and possess the technical knowledge to re-engineer the product's firmware.

Related

"We feel confident in the way we have designed both the toy and the app to deliver a secure play experience," a Hasbro spokeswoman said in an email. The toy maker hired a third party to do security testing on the Furby Connect product and it complies with local privacy laws, Hasbro said.

The UK distributor behind i-Que also said there's been no reports of anyone maliciously abusing the toy's Bluetooth connectivity, Which? said.

Still, even the FBI has warned consumers to be aware of the security and privacy risks associated with connected toys. The agency encourages consumers to research connected toys before buying and has published a list of recommendations on how parents can keep their children safe around such products.

Read more

Check Also

Facebook mistakenly leaked developer analytics reports to testers

Set the “days without a Facebook’s privacy problem” counter to zero. This week, an alarmed developer contacted TechCrunch, informing us that their Facebook App Analytics weekly summary email had been delivered to someone outside their company. It contains sensitive business information including weekly average users, page views, and new users. 43 hours after we contacted Facebook about the issue, the social network now confirms to TechCrunch that 3 percent of apps using Facebook Analytics had their weekly summary reports sent to their app’s testers, instead of only the app’s developers, admins, and analysts. Testers are often people outside of a developer’s company. If the leaked info got to an app’s competitors, it could provide them an advantage. At least they weren’t allowed to click through to view more extensive historical analytics data on Facebook’s site. Facebook tells us it has fixed the problem and no personally identifiable information or contact info was improperly disclosed. It plans to notify all impacted developers about the leak today and has already begun. Below you can find the email the company is sending: Subject line: We recently resolved an error with your weekly summary email We wanted to let you know about a recent error where a summary e-mail from Facebook Analytics about your app was sent to testers of your app ‘[APP NAME WILL BE DYNAMICALLY INSERTED HERE]’. As you know, we send weekly summary emails to keep you up to date with some of your top-level metrics — these emails go to people you’ve identified as Admins, Analysts and Developers. You can also add Testers to your account, people designated by you to help test your apps when they’re in development. We mistakenly sent the last weekly email summary to your Testers, in addition to the usual group of Admins, Analysts and Developers who get updates. Testers were only able to see the high-level summary information in the email, and were not able to access any other account information; if they clicked “View Dashboard” they did not have access to any of your Facebook Analytics information. We apologize for the error and have made updates to prevent this from happening again. One affected developer told TechCrunch “Not sure why it would ever be appropriate to send business metrics to an app user. When I created my app (in beta) I added dozens of people as testers as it only meant they could login to the app…not access info!” They’re still waiting for the disclosure from Facebook. Facebook wouldn’t disclose a ballpark number of apps impacted by the error. Last year it announced 1 million apps, sites, and bots were on Facebook Analytics. However, this issue only affected apps, and only 3% of them. The mistake comes just weeks after a bug caused 14 million users’ Facebook status update composers to change their default privacy setting to public. And Facebook has had problems with misdelivering business information before. In 2014, Facebook accidentally sent advertisers receipts for other business’ ad campaigns, causing significant confusion. The company has also misreported metrics about Page reach and more on several occasions. Though user data didn’t leak and today’s issue isn’t as severe as others Facebook has dealt with, developers still consider their business metrics to be private, making this a breach of that privacy. While Facebook has been working diligently to patch app platform privacy holes since the Cambridge Analytica scandal, removing access to many APIs and strengthening human reviews of apps, issues like today’s make it hard to believe Facebook has a proper handle on the data of its 2 billion users.

Leave a Reply

Your email address will not be published. Required fields are marked *

Disclaimer: Trading in bitcoins or other digital currencies carries a high level of risk and can result in the total loss of the invested capital. theonlinetech.org does not provide investment advice, but only reflects its own opinion. Please ensure that if you trade or invest in bitcoins or other digital currencies (for example, investing in cloud mining services) you fully understand the risks involved! Please also note that some external links are affiliate links.