According to a study conducted by the consumer insight portal Which? with the help of cybersecurity experts NCC Group, children are at risk of being contacted by strangers through smart toys. The research found security flaws in popular children’s toys, including walkie talkies and karaoke machines. These could leave them open to being hacked by other users.
The researchers tested seven popular devices and performed a variety of tests on them like assessment of software vulnerabilities and a full hardware teardown in order to investigate how the toys were made. Out of the seven toys, three have been found to be at fault. Which? claimed that these devices could help any starnger could communicate with a child.
Vtech’s KidiGear Walkie Talkies were among those named to be at fault, which could enable someone to start a two-way conversation with a child from a distance of up to 200m (656ft). Although Vtech in a statement said, “Further to the recent Which? findings, we would like to reassure consumers on the safety of the VTech KidiGear Walkie Talkies which use the industry-standard AES encryption to communicate.” The company further added, “The pairing of KidiGear Walkie Talkies cannot be initiated by a single device. Both devices have to start pairing at the same time within a short 30-second window in order to connect.”
Xpassion/Tenva’s karaoke microphone and Singing Machine SMK250PP could possibly allow people within 10m (32.8ft) of them to send recorded messages to children since the devices’ Bluetooth connection has no authentication feature. Xpassion/Tenva said in a statement: “Safety is top priority with every Singing Machine product produced, as demonstrated by our 37-year history without a product recall. We follow industry best practices as well as all applicable safety and testing standards.“
Two more of the products tested include Bloxels, a physical and online video game builder, and coding game Sphero Mini were found to have no filter to prevent explicit language or offensive images being uploaded to their online public platforms. Which? also found several other toys that could be hacked due weak passwords for online accounts. The Boxer Robot, an interactive artificial intelligence robot too was found to have security issues.
Following its findings, Which? called out a number of retailers like John Lewis, Amazon, Argos and Smyths to remove faulty smart toys.
Neena Bhati, head of campaigns at Which? told SkyNews, “In some of the toys that we found, the major concern was that someone else could connect to the toy and actually start a two-way conversation with the child and this could be up to 200 metres away from the toy itself. This is quite concerning because parents might not always be around while their children are playing with these products, therefore not know what’s happening with the child and whether its communicating with anyone else – that can be quite dangerous.”
In 2018, the National Cyber Security Centre (NCSC) issued a new guidance to ensure that smart toys are safe and secure for families. The move came after vulnerabilities in children’s products included one that could let attackers obtain audio from a baby monitor or “inject fake information about the position and temperature” of an infant on an activity tracker.
Source: IndependentPosted in International, News