Context researchers help Which? campaign to call time on insecure connected toys

The independent consumer body Which? called for all insecure connected toys to be removed from sale immediately. In its statement, Which? expresses its frustration with toy manufacturers that have failed to address vulnerabilities highlighted by researchers, in internet or Bluetooth connected products and believe that enough is enough.

As part of its campaign, Which? has also approached all the major toy retailers and shared its concerns with the UK Government and bodies such as CEOP (Child Exploitation and Online Protection) and the NCSC (National Cyber Security Centre).

Research partner Context Information Security has been working with the team at Which? to help provide evidence and demonstrate how easy it is with the right skills to hack into off-the-shelf children’s toys. As part of this work, Context researchers looked at the security of Hasbro’s popular Furby Connect, a furry, robotic creature with expressive LCD eyes that can speak, sing, dance and connect via Bluetooth to the Furby World smartphone game.

Alex Neill

Like many other consumer smart devices and toys that use Bluetooth Low Energy, Context found that the Furby does not implement any of the standard Bluetooth security features and does not use authenticated pairing or link encryption. As a result, anyone in wireless range of the Furby can connect to it while in use and send control commands without any physical interaction.

Building upon existing research carried out by researcher Florian Euchner who was able to upload custom audio clips to the toy, the Context researchers fully reverse-engineered files used by Furby, which include programmable action sequences, lip movements and animation commands. This made it possible to display custom graphics and animations on Furby’s LCD eyes.

Context also found that Furby firmware updates appear not to require to be signed by the manufacturer. This means that maliciously installed firmware could potentially gain access to the toy’s microphone, turning the toy into a remote listening device, for example.

“It’s not a trivial matter to find and exploit toys such as Furby Connect, but we believe that basic security measures should be standard in all connected consumer devices,” said Paul Stone, lead security consultant at Context Information Security.  “Toys that allow remote unauthenticated upload and playback of audio or video should be of particular concern to parents.”

“Safety and security should be the absolute priority with any toy. If that can’t be guaranteed, then the products should not be sold,” said Alex Neill, Which? managing director of Home Products and Services.

Context will publish a video and more technical details of its research on the Furby Connect later this week.

For full Which? statement, click here.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow

Recent Articles

IoT ecosystem association adds connected health and wellness to key verticals in face of COVID-19

Posted on: April 3, 2020

The Internet of Things Consortium (IoTC), a business development association for the Internet of Things (IoT) ecosystem, announced it will add connected health and wellness to its key verticals of focus.

Read more

Samea Innovation selects Sequans Monarch Technology for new smart building IoT solution

Posted on: April 3, 2020

Sequans Communications S.A., has announced that Samea Innovation, provider of wireless products and design services, is using Sequans’ Monarch GM01Q module to provide the LTE connectivity for its new Sensoriis Smart Building Wireless Sensor.

Read more