"Concerning vulnerabilities" in several "smart" toys tipped to be top sellers at Christmas could be used by a stranger to talk or send messages to a child, consumer group Which? has warned.
Which? testing found the Bluetooth connection in four toys - the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy, and Cloud Pets - was not secure, meaning they could be easily accessed with "very little technical know-how".
The testing found:
- a hacker would not need a password, PIN code or any other authentication to achieve access.
- anyone within a 10 to 30-metre Bluetooth range of the Furby could connect to the toy when it was switched on.
- anyone could download the app for the i-Que Intelligent Robot, find one of the toys within Bluetooth range and start chatting using the robot's voice by typing into a text field.
- The Toy-Fi Teddy lacked any authentication protections, meaning the watchdog's hackers could send their voice messages to a child and receive answers back.
- The Cloud Pets toy could be hacked via its unsecured Bluetooth connection and made to play their voice messages.
- Which? has written to retailers calling on them to stop selling toys with proven security issues.
Alex Neill, the group's managing director of home products and services, said: "Connected toys are becoming increasingly popular but, as our investigation shows, anyone considering buying one should apply a level of caution.
"Safety and security should be the absolute priority with any toy. If that can't be guaranteed, then the products should not be sold."
Vivid Imaginations, which distributes the i-Que robot toy, told Which? it will "actively pursue this matter" with the manufacturer after "communicating the issues" raised in the published reports.
But it confirmed the toys fully comply with the Toy Safety Directive and European standards, adding: "Whilst some of these reports highlight potential vulnerability in the products, there have been no reports of these products being used in a malicious way.
"While it may be technically possible for a third party to connect to the toys, it requires a certain sequence of events to happen in order to pair a Bluetooth device to the toy, all of which make it difficult for the third party to remotely connect to the toy."
Hasbro, which makes the Furby Connect, said it took the Which? report "very seriously" but said it was "confident in the way we have designed both the toy and the app to deliver a secure play experience".
It added that manipulating the toy would require close proximity and "a number of very specific conditions that would all need to be satisfied in order to achieve the result described by the researchers at Which?".
Spiral Toys declined to comment to Which? in relation to Toy-Fi Teddy and Cloud Pets.