Children are at risk of being contacted by strangers and seeing offensive images through their must-have smart toys, an investigation has found.
Consumer group Which? found security flaws in toys including walkie talkies, karaoke machines and robots which could leave them open to being hacked, hijacked by other users or lack online filters.
With the UK expected to spend billions of pounds on toys this Christmas, the group is calling on retailers – including John Lewis, Amazon, Argos and Smyths toy store – to withdraw a number of ‘connected’ or ‘intelligent’ toys.
Out of seven popular devices tested, three of them could be exploited so a stranger could communicate with a child, the group found.
The £30 Vtech KidiGear Walkie Talkies could allow someone to start a two-way conversation with a child from a distance of up to 200 metres (656ft).
Karaoke microphone, sold by Xpassion/Tenva, and Singing Machine SMK250PP, both popular children’s karaoke products, allow people within 10m (32.8ft) of them to send recorded messages as the Bluetooth connection has no authentication feature.
Two of the products – Bloxels, a physical and online video game builder, and coding game Sphero Mini – have no filter to prevent explicit language or offensive images being uploaded to their online public platforms.
Which? also found several toys could be hacked as users do not have to use strong passwords for online accounts meaning their personal data could be at risk if the account is compromised.
The Boxer Robot, an interactive artificial intelligence robot, Bloxels, Sphero Mini and the Singing Machine were all found to have security issues which leave them open to online hacking.
Which? is asking the next government to make it mandatory for manufacturers to ensure smart products meet appropriate security standards before they are able to go on sale.
Neena Bhati, head of campaigns at Which? told Sky News: “In some of the toys that we found, the major concern was that someone else could connect to the toy and actually start a two-way conversation with the child and this could be up to 200 metres away from the toy itself.
“This is quite concerning because parents might not always be around while their children are playing with these products, therefore not know what’s happening with the child and whether its communicating with anyone else – that can be quite dangerous.”
Tim Rawlins, director of cyber security experts NCC Group which has previously helped the government with cyber security legislation, said manufacturers should be responsible for making sure their toys are safe before they go on sale.
He told Sky News: “Manufacturers really should look at the guidelines and start to develop security really from the beginning of the design process, if you build security in, its far cheaper.”
An Amazon spokesman said the online retail giant requires “all products offered in our store to comply with applicable laws and regulations”, and it “proactively” monitors “multiple sources for safety notifications”.
A John Lewis spokeswoman told Sky News: “We take the security and privacy of connected devices very seriously.
“In the last year, we have been working with the Department for Digital, Culture, Media and Sport to explore how we can best support the voluntary code of practice which improves the security of connected technology products.”
Sky News has contacted Argos and Smyths for a comment.