Researchers at NCC Group and a consumer group ‘Which?’ together tested the smart toys from several top brands including Mattel and Spinmaster.
What did they find?
Many of the toys were found to be missing authentication when connecting to a device for pairing.
Another flaw they found was that some toys required logging into certain websites for updates or downloading certain features. These websites were missing encryption and consequently exposing account and session data to being intercepted by almost anyone.
Researchers also found another vulnerability associated with some of the toys. The websites indicated whether a username or email address was already registered. This could potentially allow attackers to launch brute-force attacks to obtain registered usernames and email addresses.
What they’re saying
“While the onus should never fully lie with parents or guardians, checking that the product literature has sufficient reference to security and privacy before purchasing should be the first step. And if concerns persist after purchasing the device, supervision should always be performed on toy operation and any accompanying online activity and use,” said the NCC Group, that was a part of the research.
“Safety is top priority with every Singing Machine product produced, as demonstrated by our 37 year history without a product recall. We follow industry best practices as well as all applicable safety and testing standards,” said Singing Machine in a statement.