Consumer advice outfit Which? has today published a report detailing how easy it is to hack some of the most popular "connected toys" on the market and has called on retailers to stop selling those with "proven security issues".
The report found that of seven toys tested, the Furby Connect, I-Que Intelligent Robot, Cloudpet and Toy-Fi Teddy used unsecured Bluetooth connections.
The group's resident hackers found they could send text and audio messages through the toys, either through their companion apps or by connecting via laptop, without a password or other form of authentication.
The tests were carried out in association with Which?'s German counterpart, Stiftung Warentest, and security researchers. Context Information Security is the only one named.
Alex Neill, managing director of home products and services for Which?, said: "Connected toys are becoming increasingly popular, but as our investigation shows, anyone considering buying one should apply a level of caution.
"Safety and security should be the absolute priority with any toy. If that can't be guaranteed, then the products should not be sold."
Hasbro, manufacturer of the Furby, took issue with Which?'s test. It said: "We believe that [hacking into the toy] would require close proximity to the toy, and that there are a number of very specific conditions that would all need to be satisfied in order to achieve the result described."
These steps included redesigning the toy's firmware and then uploading it within Bluetooth range.
Vivid Imaginations, the distributors of Genesis Toys' I-Que robot, responded similarly. It said: "While it may be technically possible for someone other than the intended user to connect to the toys, it requires certain sequence of events to happen in order to pair a Bluetooth device to the toy, all of which make it difficult for the third party to remotely connect to the toy."
The Register has contacted Spiral Toys, manufacturers of CloudPets and Toy-Fi Teddy, for comment. ®