Threat of hacking in smart toys including walkie talkies and microphones says Which?

by Rebecca Tuffin

Children in Kent are at risk of having their Christmas presents hacked by strangers.

Serious security flaws have been discovered in a number of popular smart toys which could enable strangers to talk to children, consumer group Which? has claimed.

Vtech KidiGear walkie talkies
Vtech KidiGear walkie talkies

Walkie talkies, karaoke machines and robots were among the products tested by the company with the help of cyber security firm NCC Group.

Which? found a security flaw in the Vtech KidiGear walkie talkies, which may allow someone to start a two-way conversation with a child from a distance of up to 200 metres.

In a statement, Vtech said the walkie talkie could not make an unauthorised pairing if it was already linked to another device.

The company added: "We would like to reassure consumers on the safety of the product which uses the industry standard AES encryption to communicate.

"The pairing cannot be initiated by a single device. Both devices have to start pairing at the same time within a short 30 second window in order to connect."

Singing Machine SMK250PP
Singing Machine SMK250PP

A fault was also found in the karaoke microphone sold online by Xpassion/Tenva and the Singing Machine SMK250PP.

Both products could allow people within 10 meters to send recorded messages to a child because the Bluetooth has no authentication, such as a PIN.

Singing Machine said: "Safety is our top priority with every product produced, as demonstrated by our 37 year history without a product recall.

"We follow industry best practices as well as all applicable safety and testing standards.”

The Boxer Robot; video game builder, Mattel Bloxels; coding game, Sphero Mini and the Singing Machine were all found to have security issues which leave them open to hacking.

The Boxer Robot
The Boxer Robot

Users are not required to create strong passwords for their online accounts meaning their personal data could be at risk.

Bloxels and Sphero Mini were also found to have no filter to prevent explicit language or offensive images being uploaded to their online platforms. Any child using the public portal or app on these products could then see or hear this content.

Some of these toys are sold by major retailers including Amazon, Argos, John Lewis and Smyths.

Which? says the Department for Digital, Culture, Media and Sport established a new voluntary code in October last year to improve the security of connected technology products, but most manufacturers have failed to sign up.

As a result of this discovery, Which? is calling for the next government to introduce mandatory security standards to prevent unsecure products being available for sale.

Karaoke microphone sold by Xpassion/Tenva
Karaoke microphone sold by Xpassion/Tenva

Head of home products and services at Which?, Natalie Hitchins, said: “While there is no denying the huge benefits smart gadgets can bring to our daily lives, the safety and security of users should be the absolute priority.

"The next government must ensure manufacturers design connected tech products with security as paramount if it is going to prevent insecure products ending up in people’s homes.”

The company advises parents to read descriptions of toys carefully, search online to see if there has been any security concerns and turn off the product when it is not being used.

Share this story

COMPETITION

Win a football coaching session at Ballerz in Bluewater with former England star Rio Ferdinand


Helpful links

Local news