Beware of bad Santas this Xmas: Piles of insecure smart toys fill retailers' shelves

It seems to come around quicker every year – the failure of so-called smart toys to meet the most basic of security requirements. Which? has discovered a bunch of sack fillers that dirtbags can use to chat to your kids this Christmas.

Back in 2017, the consumer group found toys with security problems relating to network connections, apps or other interactive features. The results of its latest round of testing show manufacturers are struggling to improve standards.

Working with security researchers NCC Group, Which? found a karaoke machine that could transmit audio from anyone passing within Bluetooth range because of its unsecured connection. It found walkie-talkies from VTech which anyone with their own set of similar equipment could connect to over a 200-metre range. It also found a Mattel-backed games portal which appeared to be unmoderated, allowing users to upload their own games with content inappropriate for children.

Ken Munro, security researcher with consultancy Pen Test Partners, said that although there was no evidence the vulnerabilities revealed by Which? had not been used by nefarious characters to contact children, parents should still beware of toys that do not meet minimum standards.

"The reason we don't hear of these attacks is they are local: it would be one parent at a time. Is it still worrying? Yes, I don't like the idea of this thing being unsecured," he said.

Earlier this year, the UK's Department for Digital, Culture, Media and Sport launched an industry consultation on the back of a 2018 report which advocated the removal of burden from consumers to securely configure their devices and instead ensure that strong security is built into IoT devices and services by design.

In 2017, Which? and German counterpart Stiftung Warentest raised concerns about i-Que Robot, which also offered an unsecured Bluetooth connection. Munro said he was not surprised manufacturers had struggled to demonstrate any improvement in security awareness or standards.

"We've seen much worse vulnerabilities involving kids' tracking watches, whereby a hacker can remotely track thousands of kids in real time," he said.

While UK regulation is still in the works, and adverse publicity has little effect, incoming legislation in California is more likely to force manufacturers to build security into product design from the outset.

From 1 January 2020, Senate Bill 327 will make reasonable security mandatory for consumer products in California. Given it is such a large market, and the home of both the global technology and media industries, the legislation is set to change smart toy manufacturing, Munro said. "I think that will have a huge influence on manufacturing. If you want to sell stuff in California, it's got to be safe. That will trickle down, so UK production improves as well."

In response to the Which? study, a spokesperson for VTech said consumers should be assured the VTech KidiGear Walkie Talkies, which uses the industry-standard AES encryption to communicate, are safe.

"Pairing... cannot be initiated by a single device. Both devices have to start pairing at the same time within a short 30-second window in order to connect. Additionally, if already linked to its paired handset, pairing with an additional, external handset is not possible," a spokesperson said.

Meanwhile, Sphero, maker of the Sphero Mini interactive toy also implicated in the Which? study, said that the feature highlighted related to the Sphero Edu app, which was meant to be used in classrooms or in the home with teacher or parent supervision.

The Register has offered Singing Machine and Mattel the opportunity to comment, but neither firm has so far responded. ®