A consumer watchdog company has called several internet-connected toys into question just ahead of the holiday shopping season.
According to BBC, the U.K.-based company Which? has asked retailers to stop selling popular toys with security issues, including the Furby Connect, i-Que Robot, CloudPets and Toy-fi Teddy, all of which can connect to the internet or Bluetooth.
The toys don’t require any authentication when customers connect the toys to Bluetooth, which creates security issues, Which? said. Specifically, a separate party or hack could connect to the toys, gaining the ability to send messages or take control of the toy.
For example, the company said someone could, in theory, connect to the Furby Connect’s Bluetooth and then connect to any other tech device within range of the toy that has Bluetooth capabilities, according to The Guardian.
"Connected toys are becoming increasingly popular, but as our investigation shows, anyone considering buying one should apply a level of caution," said Alex Neill, managing director of home products and services at Which?, according to BBC. "Safety and security should be the absolute priority with any toy. If that can't be guaranteed, then the products should not be sold."
Hasbro, who creates the Furby Connect, said in a statement to The Guardian that the security concerns Which? created from specific conditions that would require "a tremendous amount of engineering to reverse-engineer the product as well as to create new firmware."
Vivid Imagination, who creates the i-Que toy, said it hasn’t seen any reports of the toy being manipulated.
The British Toy and Hobby Association said in a statement that it will monitor these toys to ensure that they’re safe.
“We are aware of the Which? report, but understand the circumstances in which these investigations have taken place rely on a perfect set of circumstances and manipulation of the toys and the software that make the outcome highly unlikely in reality," the association said.
Security concerns over smart toys are increasing. CloudPets drew criticism back in February for its “security oversight,” according to The Huffington Post.
The company’s toys allow for people to store and replay voice messages and send them over the internet. Customer information — like the login and password information, along with those voice recordings — was stored in an easily accessible location, The Huffington Post reported.
Online security expert Troy Hunt told The HuffPost that he discovered people’s kids’ names, birthdays and relationship with the person they sent messages to.
One customer tweeted out how hackers could even send messages through the toys, too.
The FBI warned parents back in July about the potential issues with connected toys, saying that smart toys often use cameras, sensors and microphones, which could all create security issues.
"These features could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed," the FBI said, according to NBC News.
Robert Siciliano, CEO of IDTheftSecurity.com, told NBC News that parents "should further make sure that the device firmware is updated, their own PCs are properly protected, and the Wi-Fi is secure," he said. "And use strong passwords."