A Cute Toy Just Brought a Hacker Into Your Home

The problem isn’t new, but it’s growing as manufacturers introduce a wider range of toys that can connect online, part of an overall trend of “smart” electronics. About 8.4 billion “connected things” will be in use worldwide this year, according to estimates from research firm Gartner, up 31 percent from 2016, with the number projected to rise to 20.4 billion by 2020.

Sarah Jamie Lewis, an independent cybersecurity researcher who tested toys ahead of the holiday season, said many of the products did not take basic steps to ensure their communications were secure and that a child’s information would be protected. She said the toys acted as “uncontrolled spy devices” because manufacturers failed to include a process that would allow the gadget to connect to the internet only through certain trusted devices.

Consider the Furby Connect doll made by Hasbro, a furry egg-shaped gadget that comes in teal, pink and purple. Researchers from Which?, a British charity, and the German consumer group Stiftung Warentest recently found that the Bluetooth feature of the Furby Connect could enable anyone within 100 feet of the doll to hijack the connection and use it to turn on the microphone and speak to children.


Earlier this year, Germany’s Federal Network Agency, the country’s regulatory office, said the My Friend Cayla doll was “an illegal espionage apparatus.”

Tony Cenicola/The New York Times

Then there’s the Q50, a smart watch for children. Marketed as a way to help parents easily communicate with and keep track of their kids, bugs in the watch would allow hackers to “intercept all communications, remotely listen to the child’s surroundings and spoof the child’s location,” according to a report by Top10VPN, a consumer research company this month.

And the BB-8 droid, which was released with “The Last Jedi” this month, also had an insecure Bluetooth connection, according to Ms. Lewis’s tests.

SinoPro, the Chinese manufacturer of the Q50 watch, and Genesis, the maker of the Cayla doll, did not respond to requests for comment. Sphero, the maker of the BB-8 connected droid, said the toy is “adequately secure.” Hasbro said the Furby Connect complies with the United States Children’s Online Privacy Protection Act, and that it hired third-party testers to perform security testing on the toy and app.

Toy manufacturers have long searched for ways to bring toys alive for children. While microphones and cameras introduced some level of responsiveness, those interactions were generally limited to a canned response preset by a manufacturer. Internet connections opened up a new wealth of possibilities; now the toys can be paired with a computer or cellphone to allow children to constantly update their toys with new features.

The My Friend Cayla doll, for example, uses speech recognition software coupled with Google Translate. The doll’s microphone records speech and then transmits it over the internet, a function that leaves it open to hackers, according to cybersecurity researchers. If the doll’s owner does not designate a specific cellphone or tablet with which the doll should have an internet connection, anyone within 50 feet of the toy can use the Bluetooth connection to gain access to it. Security researchers have also raised concerns over what type of data the doll collects, and how the data is used.