CONSUMER WATCHDOG Which? has warned parents to keep security-unaware connected toys away from their children this Christmas.
The firm has found that toys with built-in Bluetooth and WiFi, or those that come with companion mobile apps, use unsecure connections that allow the devices to be accessed without a password or a PIN and with "hardly any technical know-how."
This means that - in theory, at least - anyone could to manipulate the voice control of a popular toy and speak directly to your child.
Which? has revealed that the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy and CloudPets toys were all susceptible to this hack.
The consumer body, whose resident hackers found they could easily send text and audio messages through the toys, notes that while Bluetooth is typically limited to a distance of 10 metres, the range could be extended and picked up by hackers further away.
Vivid Toys, UK distributor of i-Que, said that it takes the issues highlighted by Which? "very seriously", although was quick to add that "there have been no reports of these products being used in a malicious way."
"The connected toys distributed by Vivid fully comply with essential requirements of the Toy Safety Directive and harmonised European standards, and (we) consider these products to be safe for consumers to use when following the user instructions," the firm said in a statement, adding that it would take the firm's recommendation about adding Bluetooth authentication to Genesis Toys.
Hasbro, the maker of Furby Connect, said that despite Which?'s research showing otherwise, it is "confident in the way we have designed both the toy and the app to deliver a secure play experience.
"The Furby Connect toy and Furby Connect World app were not designed to collect users' name, address, online contact information (eg, username, email address, etc.) or to permit users to create profiles to allow Hasbro to personally identify them, and the experience does not record your voice or otherwise use your device's microphone," it added.
Spiral Toys, which makes the Toy-Fi Teddy and CloudPets devices, has not yet commented on the report.
Which? is now putting its foot down and is calling for all connected toys with proven security or privacy issues to be taken off sale, citing the example of the German 'Cayla' doll being yanked from shelves after it was revealed that it records children's conversations and uploads them to the cloud.
Alex Neill, Which? managing director of Home Products and Services, said: Connected toys are becoming increasingly popular, but as our investigation shows, anyone considering buying one should apply a level of caution.
"Safety and security should be the absolute priority with any toy. If that can't be guaranteed, then the products should not be sold."" µ
And why all the machine learning happens inside your home network
Another week of Google news in brief
It was nice knowing you, sort of
Third time unlucky