Leading independent consumer body Which? today called for all insecure connected toys to be removed from sale immediately. In this article, Which? expresses its frustration with toy manufacturers that have failed to address vulnerabilities highlighted by researchers in internet or Bluetooth connected products and believe that ‘enough is enough’.
As part of its campaign, Which? has also approached all the major toy retailers and shared its concerns with the UK Government and bodies such as CEOP (Child Exploitation and Online Protection) and the NCSC (National Cyber Security Centre).
As their research partner on this project, Context has been working with the team at Which? to help provide evidence and demonstrate how easy it is with the right skills to hack into off-the-shelf children’s toys. As part of this work, Context looked at the security of Hasbro’s popular Furby Connect, a furry, robotic creature with expressive LCD eyes that can speak, sing, dance and connect via Bluetooth to the Furby World smartphone game.
Like many other consumer smart devices and toys that use Bluetooth Low Energy, we found that the Furby does not implement any of the standard Bluetooth security features and does not use authenticated pairing or link encryption. As a result, anyone in wireless range of the Furby can connect to it while in use and send control commands without any physical interaction.
Building upon existing research carried out by researcher Florian Euchner who was able to upload custom audio clips to the toy, our own researchers fully reverse-engineered files used by Furby, which include programmable action sequences, lip movements and animation commands. This made it possible to display custom graphics and animations on Furby’s LCD eyes.
We also found that Furby firmware updates appear not to require to be signed by the manufacturer. This means that maliciously installed firmware could potentially gain access to the toy’s microphone, turning the toy into a remote listening device, for example.
“It’s not a trivial matter to find and exploit toys such as Furby Connect, but we believe that basic security measures should be standard in all connected consumer devices,” said Paul Stone, Principal Security Consultant at Context Information Security. “Toys that allow remote unauthenticated upload and playback of audio or video should be of particular concern to parents.”
“Safety and security should be the absolute priority with any toy. If that can’t be guaranteed, then the products should not be sold,” said Alex Neill, Which? Managing Director of Home Products and Services.
We will publish more technical details of our research on the Furby Connect later this week on our blog.