Amazon and Toys R Us urged to withdraw toys that allow hackers to exploit Bluetooth flaw to talk to children
Which? investigation finds security flaws in ‘intelligent’ toys such as CloudPets and Hasbro’s Furby Connect

A consumer group is urging major retailers to withdraw a number of “connected” or “intelligent” toys likely to be popular at Christmas, after finding security failures that it warns could put children’s safety at risk.
Tests carried out by Which? with the German consumer group Stiftung Warentest, and other security research experts, found flaws in Bluetooth and Wi-fi-enabled toys that could enable a stranger to talk to a child.
The investigation found that four out of seven of the tested toys could be used to communicate with the children playing with them. Security failures were discovered in the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy and CloudPets.
With each of these toys, the Bluetooth connection had not been secured, meaning the researcher did not need a password, pin or any other authentication to gain access. Little technical know-how was needed to hack into the toys to start sharing messages with a child.
When switched on, the Furby Connect – on sale at Argos, Amazon, Smyths and Toys R Us – could be connected with any device within a Bluetooth range of 10 to 30 metres.
Watch: i-Que Intelligent Robot knows ‘millions of things’