Slashdot Mirror

← Back to Stories (view on slashdot.org)

Investigation Finds Security Flaws In 'Connected' Toys (theguardian.com)

Posted by BeauHD on from the always-listening dept.

An anonymous reader quotes a report from The Guardian: A consumer group is urging major retailers to withdraw a number of "connected" or "intelligent" toys likely to be popular at Christmas, after finding security failures that it warns could put children's safety at risk. Tests carried out by Which? with the German consumer group Stiftung Warentest, and other security research experts, found flaws in Bluetooth and wifi-enabled toys that could enable a stranger to talk to a child. The investigation found that four out of seven of the tested toys could be used to communicate with the children playing with them. Security failures were discovered in the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy and CloudPets. With each of these toys, the Bluetooth connection had not been secured, meaning the researcher did not need a password, pin or any other authentication to gain access. Little technical knowhow was needed to hack into the toys to start sharing messages with a child.

1 of 32 comments (clear)

  1. Bluetooth classes by DrYak · · Score: 4, Informative

    But what is the wireless range of the devices? 30ft or so?

    Bluetooth devices are sorted into classes depending on radio power and thus range.
    Your random USB bluetooth dongle is usually a Class 2 device with a range of ~10m (about 30ft)
    There are USB dongle that are Class 1 devices with a rande of ~100m (about 300ft).

    Also keep in mind that most walls (except steel reinforced concrete) are transparent to the frequency range used by Bluetooth/Wifi/ Wireless-USB/etc.

    So by using off-the-shelf parts, an attacker could hack the toys from the street in front of the house.

    And that's just the off-the-shelf dongle. The you can basically watch any computer security conference and see people boosting range of various wireless gizmos (RFID/NFC dongles, etc.) to crazy distance.
    Cue in demos of mass-hacking use a pringles can-tenna.
    (an attacker could scan the whole street using a simple modified bluetooth setup).

    A Burglar want to see which houses on a street are potentially empty ? Just mass-scan all the unsecured IoT thingy (Bluetooth enabled toys, Wifi enabled surveillance, etc.) and see which of those only register silence or no visual motion.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]