'Hackable' karaoke and walkie talkie toys found by Which? Published duration 10 December 2019

image copyright VTech image caption Which? found that strangers could connect to the walkie talkies from up to 200m

A walkie talkie toy and two karaoke devices have been found to be potentially hackable, consumer group Which? has claimed.

The toys' Bluetooth connections were tested by Which? and cyber-security firm NCC Group.

They found a nearby stranger could potentially talk to children via them.

Vtech, which made the walkie talkie, said new connections could not be made if a parent's device had already been paired with the toy.

It added that pairings would have to be made within specific 30-second windows.

Which? examined several devices sold by retailers including Amazon, Argos, John Lewis and Smyths, and said some were "lacking in basic security".

Three out of seven popular toys examined during tests were found to have flaws, meaning a stranger could - under certain conditions - speak to children via the devices.

Stranger danger

A stranger could, for example, use a Vtech's KidiGear walkie talkie to pair to another one of the devices being used by a child - from a distance of up to 200m (656ft).

The Bluetooth pairing of devices, however, would have to take place within a 30-second window, once the child's device was activated.

"Based on all this information we have gathered, we believe that there is a risk of someone observing a child playing with the walkie talkies and exploiting the above scenario," said Which?

In a statement, Vtech said pairings could not occur if the child's walkie talkie was already linked to another device, such as one used by a sibling or parent.

"Further to the recent Which? findings, we would like to reassure consumers on the safety of the VTech KidiGear Walkie Talkies which use the industry standard AES encryption to communicate," Vtech added.

"The pairing of KidiGear Walkie Talkies cannot be initiated by a single device.

"Both devices have to start pairing at the same time within a short 30-second window in order to connect."

image copyright Singing Machine image caption Singing Machine says safety is a "top priority"

Which? also found that the Singing Machine SMK250PP karaoke machine had been designed so that a stranger could stream audio to a child from a distance of up to 10 metres because the Bluetooth connection did not ask for authentication.

"So as long as the machine is on and is listening for Bluetooth connections, it will happily connect with any Bluetooth streaming device that initiates communication with it," said Which?

In a statement, the firm said: "Safety is top priority with every Singing Machine product produced, as demonstrated by our 37-year history without a product recall.

"We follow industry best practices as well as all applicable safety and testing standards."

image copyright Xpassion/Tenva image caption The BBC was unable to contact the firm behind the karaoke device

Another karaoke microphone suffered from the same kind of vulnerability, Which? said.

"Even little baby know how to use," reads a description for the device on Amazon.

Which? said it was unable to contact the firm behind the microphone. The BBC also attempted to reach the company, without success.

A number of other devices were tested by Which? for different security issues, including the Mattel FFB15 Bloxels Build Your Own Video Game.

An online platform associated with the toy, a board game, was found to have no filter to prevent explicit language or offensive images from being uploaded.

The toy is no longer being made.

Mattel told the BBC: "The specific web platform referred to in this report, which was produced by a third party, was closed and the physical product was discontinued after finishing its license agreement earlier this year in June."

Which? reported that Pixel Press, which made the online platform, had declined to comment. The BBC has separately contacted the firm.

'Depressingly simple flaws'

"These are depressingly simple security flaws," cyber-security expert Ken Munro told the BBC. "There is no excuse for big brand names such as these to be vulnerable."

Mr Munro has previously exposed cyber-security vulnerabilities in toys, including in talking doll Cayla

He noted that the DCMS is consulting on regulation which would cover such products and he also pointed out that the US state of California will implement regulation for consumer internet-of-things products from 1 January.

That is likely to influence manufacturers around the world, argued Mr Munro.