Kids' karaoke machines and smart toys from Mattel and Vtech among those found to have security flaws

Toys are meant to be fun, but there's nothing entertaining about a stranger using one to talk to your child. Yet we've found toys available to buy this Christmas that might be used to do just that.

We first investigated smart toys in 2017, testing a range of toys featuring a network connection, app or other smart interactive feature. We found concerning vulnerabilities at that time, and so it's extremely worrying that two years on we are here reporting similar issues.

We purchased seven smart toys from major retailers, including Amazon, Smyths, Argos and John Lewis, and asked security specialist lab, NCC Group, to test them.

NCC found various concerning issues that could potentially put children at risk.

Read on to find out which toys we are talking about, and get advice on how to protect your little ones while buying smart toys this Christmas. Download our smart toys safety checklist before you buy.

Karaoke microphone / Singing Machine SMK250PP

Whether you're a wannabe pop star or tone-deaf trier, karaoke toys are very popular as a gift for children or families.

Many now come with smart functionality, usually via Bluetooth, so you can use an app or stream songs from your smartphone.

We assessed two of these. One was the Singing Machine SMK250PP (pictured above). The other was a pink karaoke microphone we bought from Amazon seller TENVA (pictured below).

Our snapshot test revealed that neither of these machines required authentication, such as a Pin code, on the Bluetooth connection.

That means anyone can connect to the toys and send recorded messages to your child.

While the child cannot send messages back, an attacker in Bluetooth range (around 10 metres) could suggest to the child, 'come outside to get some free sweets', for example. 

In addition, both these toys are vulnerable to what's known as a 'second order attack'.

This involves someone using the karaoke machines to exploit another voice-controlled device, such as a nearby Amazon Echo.

An attacker could, for example, attempt to order products using someone's Amazon account and, if successful, then intercept the parcel.

Or they could try to control connected devices, such as opening a smart door lock.

The fun of karaoke machines is that everyone can stream songs easily from their phones, but as the product is aimed at children, we believe extra security should be in place so that only trusted people can connect.

Singing Machine, which makes the the Singing Machine SMK250PP, told us in response to our findings that a user would need to manually enter Bluetooth pairing mode in order to add a new device. However, our testing suggested otherwise.

When we tested, we paired with an iPhone, streamed some audio, then turned off Bluetooth on the iPhone, at which point we were immediately able to connect a new device (a Windows laptop) and stream Bluetooth audio.

So as long as the machine is on, it will connect with any Bluetooth streaming device that initiates communication with it.

In a statement, Singing Machine said:'Safety is top priority with every Singing Machine product produced, as demonstrated by our 37 year history without a product recall.

'We follow industry best practices as well as all applicable safety and testing standards.'

We were unable to contact the company selling the karaoke microphone toy. This was despite us using the online contact forms on Amazon (which fulfilled delivery of the product for seller TENVA) to try to get the seller's contact details and contacting Amazon directly to request assistance in tracking down TENVA to review our findings. 

Vtech KidiGear walkie-talkies

Kids love using walkie-talkies, and if you were buying these Vtech KidiGear walkie-talkies for your little one, you might feel assured by the 'encrypted digital communication' claim on the box.

Our testing revealed that the walkie-talkies do use some encryption technology, meaning communications between two handsets are protected to some degree.

However, a stranger could contact a child by exploiting a specific flaw in how the walkie-talkies pair with each other.

The stranger would need to have their own set of the walkie-talkies in question and pair those with your child's set at the point of switching on, as that's when these walkie-talkies are vulnerable.

This would mean a two-way conversation could then go on between the stranger and the child, which could last until the child's walkie-talkie is turned off.

Further, unlike Bluetooth (which is typically limited to a 10-metre range) the walkie-talkies claim to connect up to 200 metres away. So, someone could be comfortably over the street, or on the other side of a park.

It's a scenario that requires several 'ifs' to come about, but we'd rather 'encrypted' meant fully secure than 'there's a window of opportunity'.

Vtech told us: 'Further to the recent Which? findings, we would like to reassure consumers on the safety of the VTech KidiGear Walkie Talkies, which uses the industry-standard AES encryption to communicate.

'The pairing of KidiGear Walkie Talkies cannot be initiated by a single device. Both devices have to start pairing at the same time within a short 30 second window in order to connect.'

Vtech also noted that if the child's walkie-talkie is already paired in a conversation with another walkie-talkie user, such as a parent, a third handset owned by a stranger would be unable to pair. 

Mattel FFB15 Bloxels Build Your Own Video Game

While there is a board game element to this toy, which is distributed by toy giant Mattel, what's more concerning is the Bloxels education web portal, created by Pixel Press.

On this, users of this Bloxel toy can create, upload and play games on a smartphone or tablet.

We found that there is seemingly no moderation for any inappropriate content in the games.

We were able to upload a game with swearing to the Bloxels store, making it available to all other users.

Bloxels has an arcade where games are highlighted to other users and our game did not appear on there. There is a function for content to be taken down if reported, but we obviously didn't leave the game up long enough to see if this occurred.

Although our game wasn't featured on the Bloxels arcade, it's concerning that there's not even a block on uploading swearing to this child-oriented platform.

The Bloxels Edu consumer website doesn't use a strong enough level of encryption, while accounts can be created with weak passwords. Because of this, accounts could easily be hacked and someone could post a rogue game anonymously.

Better security measures are available on the Bloxels education website, but we feel thatthe consumer portal should be equally safeguarded.

Mattel and Pixel Press (maker of Bloxels Edu portal) declined to comment. The board game has now been discontinued, but it was still available at time of publication and the Bloxels Edu portal remains live. 

Sphero Mini interactive toy

The Sphero is designed to help kids learn to code. While it has unauthenticated Bluetooth, like the karaoke machines, anyone who takes control of the robot can't do much that is malicious.

The bigger issue is that, just like the Bloxels, inappropriate content can be posted on its companion online platform.

In Sphero's case this involves the 'speak' function that allows you to add text to be spoken out to other users.

This means that offensive language could be transmitted to your children via the app on their smartphone or tablet.

Sphero did not respond to a request for comment. 

Boxer interactive toy

The actual toy element of this cute little robot doesn't pose much of a risk to the child or parents. You download an app to control the toy, but it doesn't require any login details or an account to be created.

However, there are some account and password security issues that need addressing by the manufacturer, Spinmaster US.

Separate online accounts can be created by the parent or child at http://www.spinmaster.com/ that are weak and easy to hack or intercept. The risk here is that your personal data could be put at risk if the account is compromised, or the company running the online service suffers a data breach.

We found similar issues with the website of Bloxels Edu, as well as the Sphero and the company behind the Kids Singing Machine. With products aimed at children, the lack of basic personal security/privacy measures for user accounts on the app or website is quite alarming and runs against good practice.

Spinmaster, maker of the Boxer toy, pointed out that there's no need to set up an account via the Spinmaster US website to use the Boxer toy or the companion Android/iOS app (which doesn't require a login). 

Good news: Rizmo had no problems!

The good news is that not all the smart toys we tested have problems.

The Rizmo is one of the hotly tipped toys of Christmas 2019.

At first glance we thought it might be like the Furby that we tested previously and found significant issues.

However, the Rizmo does not have a network connection or a mobile app, meaning all interaction is purely between the toy and the child.

Therefore, you can buy the Rizmo without worrying about your child's safety and security.

We contacted the toys industry

As reported in the video above, we raised concerns about security risks of some smart toys like the iQue Robot (pictured below), in an investigation published in 2017.

It's extremely worrying that two years on we found the same issues - such as Bluetooth connections which lack security measures - and new issues too.

Smart toys are one of the key areas identified by the government's drive to make connected products 'secure by design'.

We're calling on the toys industry to ensure that unsecure products like the ones we've identified are either modified, or ideally made secure before being sold in the UK.

We shared our findings with industry body, the British Toy and Hobby Association, and the Department for Culture, Media and Sport about our research. 

How to buy and use smart toys safely

1. Read the description of the connected toy carefully in the shop or online. Find out what the toy actually does and how your child will interact with it. Toys such as the Rizmo don't require an external network connection or mobile app, and so the risk to your child is lower.
2. Search online to see if there have been any security concerns raised about the toy previously, such as a leak of personal data. If you are at all concerned, consider a non-smart toy instead.
3. If you do buy a smart toy, submit only the minimal amount of personal data required when setting up an account for your child. That way, not too much data is exposed if things do go wrong. Do set strong passwords, though, to ensure any accounts are properly protected.
4. Keep an eye on your child when they're playing with the smart toy, particularly if it can send or receive messages. It is not advised to leave them unsupervised.
5. When your child is not playing with the smart toy, make sure you turn it off completely so that it is not vulnerable to being exploited.

How we tested the smart toys

The toys we tested were selected based on the fact that they use some sort of smart or connected technology, that they are available in at least one major retailer (ideally more) and are popular with consumers (they have lots of user reviews or they have been placed on 'top seller' or curated lists, for example).

We asked NCC Group, security testing, audit and compliance experts, to test the smart/connected toys.

A team comprising web, hardware, mobile, infrastructure and privacy experts assessed the toys for whether they could be exploited to pose a risk to the child and/or parents.

The researchers performed a suite of tests, ranging from an assessment of software vulnerabilities to a full hardware teardown to investigate how the toys have been made.