back to article Christmas is coming, the goose is getting fat, look out for must-have toys that are 'easily hacked' ♪

Consumer advice outfit Which? has today published a report detailing how easy it is to hack some of the most popular "connected toys" on the market and has called on retailers to stop selling those with "proven security issues". The report found that of seven toys tested, the Furby Connect, I-Que Intelligent Robot, Cloudpet …

  1. Phil O'Sophical Silver badge
    Facepalm

    "a number of very specific conditions ... included redesigning the toy's firmware and then uploading it within Bluetooth range."

    So, a pretty routine hack, then. They should see the tricks our in-house white-hat hackers get up to when they are testing our products,.

    1. chivo243 Silver badge
      Big Brother

      Spin the spinning spinner deflector

      @ Phil

      +1

      Seems the PR departments are in overdrive deflecting what could be a big hole in their bottom line...

      1. Voland's right hand Silver badge

        Re: Spin the spinning spinner deflector

        deflecting what could be a big hole

        Wishful thinking I am afraid. It will take a "Small Soldiers" level incident (and paying for the fallout) for them to take notice. Anything else is just +/- a few percent on the PR budget (but not the development one - there ain't any, it's all ODM).

    2. Anonymous Coward
      Anonymous Coward

      I'm sure

      that BMW said the same about their "secure" keys when it transpires a £20 bit of kit will allow you unfettered access.

      I'm sure lock makers say the same, "A miscreant has to be in close proximity and a set of unusual circumstances must take place before your house is burgled". Such as a burglar turning up to your house with a screwdriver or a lock pick. Its unusual but that doesn't mean it isn't happening everywhere.

      Security by "unusual circumstances" isn't any kind of security at all.

  2. wolfetone Silver badge

    "Hasbro, manufacturer of the Furby, took issue with Which?'s test. It said: "We believe that [hacking into the toy] would require close proximity to the toy, and that there are a number of very specific conditions that would all need to be satisfied in order to achieve the result described.""

    Well, under a certain condition of it being night time, me being out of the house, there being a power cut, someone with a brick could gain access to my house. But I still invest in security for the house to mitigate that issue.

    Because that's common sense.

  3. Anonymous Coward
    Anonymous Coward

    specific sequence of events huh

    like, pair, connect, browse.

    Bluetooth proximity is a partial defence but not from the teenager upstairs, let alone a more planned mischief.

    I believe those statements are from those that have no real defence. I may as well say I have left a million pounds in cash in my unlocked shed and its safe because no one goes near my shed. Bah.

    Quote from famous Father Christmas book "Merry Bleedin' Christmas"

    1. wolfetone Silver badge

      Re: specific sequence of events huh

      So, eh, where do you live?

      Asking for a friend.

      1. AMBxx Silver badge

        Re: specific sequence of events huh

        How far though? I had my ear bent by a security bod a few years ago about Bluetooth sniper - Bluetooth with Pringles tube or something to extend the range of BT.

        1. Suburban Inmate

          Re: How far?

          I live in a basic old terraced house in SE London, the type where the kitchen with a bedroom above sticks out the back, leaving a sort of dingy alcove.

          With my LG G3 on my desk, by the rear window that looks out to the alcove next to the kitchen, I can still get music on my old 8 quid bluetooth headset on the front porch. About 15m and 2 or 3 brick walls.

          I imagine a decent antenna and circuitry could at least double that to the middle of the road.

          1. Muscleguy

            Re: How far?

            Yup and I can get decent WiFi in my fibre cement garage workshop 20+m from the router and through a couple of brick walls/chimney. I can get a good 50m down the road on WhatsApp with the youngest in NZ before the handover to digital data happens.

            Depending on the atmospherics I can get 8+ wifis visible and we are all either detached or semi-detached houses and ours doesn't broadcast. Most are using the generic ISP call sign. If I wanted to . . .

    2. Stoneshop
      Devil

      Re: specific sequence of events huh

      Bluetooth proximity is a partial defence but not from the teenager upstairs

      Or rather from the miscreant that's got access to the upstairs teenager's computer through whatever boobytrapped game crack installed on it.

    3. Voland's right hand Silver badge

      Re: specific sequence of events huh

      Teenager upstairs... That gives me an idea. How about:

      Step 1: Upload an alternative phrasebook with Father Jack Hackett's vocabulary in them in a large Toy Shop, in let's say Oxford Street.

      Step 2: Select a Daily Fail reader of your choice and suggest that as a toy for his/her little Daily Fail conditioned progeny

      Step 3. Observe the fallout (including the inevitable article in the Daily Fail).

  4. Aladdin Sane

    "While it may be technically possible for someone other than the intended user to connect to the toys La la la la we can't hear you"

    1. Stoneshop

      La la la la we can't hear you

      Outside of Bluetooth range, that is.

  5. DNTP

    No electronic gizmos this Christmas

    It's gonna be hatchets and machetes for the nephews then. Keep them away from anything to do with all this scary 'hacking'. Wait...

    1. Aladdin Sane

      Re: No electronic gizmos this Christmas

      You are Uncle Fester, AICMFP.

    2. AndGregor
      Windows

      Re: No electronic gizmos this Christmas

      A lump of coal and / or an orange. Bah..

      1. Doctor Syntax Silver badge

        Re: No electronic gizmos this Christmas

        "A lump of coal and / or an orange."

        "And"? Your generosity knows no bounds.

        1. Anonymous Coward
          Anonymous Coward

          Re: No electronic gizmos this Christmas

          What? No whip and top or jacks???

          Pauper. :-)

  6. Anonymous Coward
    Anonymous Coward

    Keep it traditional - keep it safe

    Just say no to Bluetooth-enabled toys and give your children more traditional toys for Christmas....like chemistry sets or 'clackers'

    1. chivo243 Silver badge

      Re: Keep it traditional - keep it safe

      lawn darts?

      1. DJV Silver badge
        Trollface

        Re: Keep it traditional - keep it safe

        Plenty to choose from here!

        https://www.elitereaders.com/dangerous-toys-from-the-past/

        1. Doctor Syntax Silver badge

          Re: Keep it traditional - keep it safe

          https://www.elitereaders.com/dangerous-toys-from-the-past/

          I'd have loved most of them. They sound like the sort of thing that would form the basis of a good education.

          My chemistry set had potassium permanganate in it. So what?

        2. Mark 85

          Re: Keep it traditional - keep it safe

          I guess a requirement for these toys was a) be male, b) white shirt and tie. I had most of the Gilberts as a kid (many were my Dad's when he was a kid).

  7. Anonymous Coward
    Anonymous Coward

    Has anybody in the EU yet tried to require IoT (and more generally "smart") devices meet a minimum threshold for security as part of obtaining a CE mark? Or will GDPR fix all these problems magically?

  8. Anonymous Coward
    Anonymous Coward

    At this point

    I think I'm going to buy some IoT / Bluetooth toys and Home-Security systems and leave them on, but not connected to anything. Just to see if I can frustrate some hackers somewhere. Think I'll wait for a sale though!

  9. groovyf

    Good luck getting something useful from Spiral Toys...

    https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/

  10. Andraž 'ruskie' Levstik

    Will stick to LEGO.

    1. Anonymous Coward
      Anonymous Coward

      Google Lego and bluetooth...

      1. Aladdin Sane

        Re: Google Lego and bluetooth...

        Man, rule 34 gets EVERYWHERE.

    2. Charles 9

      No, LEGO sticks TO YOU...especially your foot.

      1. Aladdin Sane
        Devil

        People who bang on about Lego and feet have obviously never stood on a UK plug.

        1. Arthur the cat Silver badge

          People who bang on about Lego and feet have obviously never stood on a UK plug.

          A quote I found on hackaday.com a while back:

          The UK has a fabulously rich history of ancient melee weapons, ranging from the flail to the mace and a bunch of odd bladed weapons used by the Scots. This tradition was passed down to the UK mains plug, the single most painful plug to step on.

          1. Doctor Syntax Silver badge

            "This tradition was passed down to the UK mains plug, the single most painful plug to step on."

            I once owed a house where the previous owner had come up with an interesting wheeze to provide power in the garage. There were a number of sockets in the garage. One of them could be connected to a socket in the kitchen by means of a flex with a plug on each end. If the kitchen end was plugged in the plug on the garage end would have been even more painful than normal.

            1. Muscleguy

              Ours came with the power to the garage being run via an ordinary grey electrical flex out of a hole in an air brick, up the gate pillar, across the gate pillar clipped to the TOP of a piece of wood spanning the pillars (careful when moving that ladder now) then in under the corrugated roof. I needed to remake the sad excuse for a gate with a solid Z-gate (still going strong) and replaced the cable with surface rated armoured cable. It goes below. There's a small step from the concrete flagstones down to the concrete apron in front of the garage. It is run down there shielded from rubbish bin wheels by a piece of angle iron screwed to the piers by tabs bent on the ends.

              No more careful with ladders until you begin to extend them (power lines to all the houses runs from a pole in the middle of our backs and two at least cross the airspace of our back yard.

            2. Allan George Dyer
              Joke

              @Doctor Syntax - So that was twice as safe: a fuse in both plugs!

              Was the previous owner still alive when you bought it? If not, maybe you should make a Darwin Award nomination.

            3. Anonymous Coward
              Anonymous Coward

              "[...] an interesting wheeze to provide power in the garage"

              A hotel bedroom had a 13 amp wall socket wired as an extension - with twisted pair bell wire running along the top of the skirting board.

          2. Muscleguy

            Kiwis rule!

            I demur, the NZ three pin plug uses much thinner prongs AND the + and - are set at an angle. Thinner prong means better chance of penetrating the foot and if it does so snapping off in said foot.

          3. NXM Silver badge

            Dodgy wiring

            A friend of mine bought a house where the entire kitchen including the cooker was connected by a single 1.5mm2 grey twin & earth. He found it when he noticed a groove in the polystyrene - yes, polystyrene - insulation in the loft that the cable had melted its way through.

        2. Charles 9

          "People who bang on about Lego and feet have obviously never stood on a UK plug."

          Except Legos are easier to HIDE, especially in a thick carpet. Can you say the same thing about a UK plug whose prongs are like 2cm each?

          1. Anonymous Coward
            Anonymous Coward

            Stickle bricks look more painful than Lego - although possibly not so common.

            1. Anonymous Coward
              Anonymous Coward

              Not so

              Stickle bricks were "softer" and besides, they work like a bed of nails by distributing the pressure over many points.

              Lego was rock hard and had VERY pointy corners.

        3. Anonymous Coward
          Anonymous Coward

          Or an 8pin DIL

          555 timer IC.

  11. fidodogbreath

    ♪ "It's the most hack - a - ble time of the year...." ♫

  12. Anonymous Coward
    Anonymous Coward

    The Duckman

    Cometh...

  13. EnviableOne

    Outside bluetooth range you say

    https://www.popsci.com/diy/article/2004-11/bluetooth-mile-away

    Cantena for the price of Pringles will extend that further

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon