Smart toys are becoming more of a common gift for kids nowadays, but British consumer group Which warns that several come with security issues that could put children at risk.

With the help of security special lab NCC Group, Which evaluated seven smart toys sold by various retailers, including Amazon, Argos, and John Lewis.

Two tested karaoke toys, namely Singing Machine SMK250PP and a microphone sold by TENVA, do not use authentication methods like a PIN code for Bluetooth connection, and pretty much anyone in Bluetooth range can connect to the device.

Singing Machine, the maker of the first toy, claims the user needs to manually enter Bluetooth pairing, but Which says anyone can connect to the device when it’s turned on.

“Secure by design”

As for walkie talkies, despite claiming they use “encrypted digital communication,” KidiGear devices come with a pairing flaw that allows a stranger to connect after they are turned on.

“The pairing of KidiGear Walkie Talkies cannot be initiated by a single device. Both devices have to start pairing at the same time within a short 30 second window in order to connect,” the manufacturer explains.

Devices like the Mattel FFB15 Bloxels, the Sphero Mini interactive toy, and Boxer come with security issues of their own, putting children at risk in some way or another. The Boxer toy, for instance, requires an app to control it, only that no account is required.

Which calls for the government to require manufacturers to make smart toys secure by design, technically ensuring that the common security practices are applied when releasing them to customers.

“We’re calling on the toys industry to ensure that unsecure products like the ones we’ve identified are either modified, or ideally made secure before being sold in the UK. We shared our findings with industry body, the British Toy and Hobby Association, and the Department for Culture, Media and Sport about our research,” the group explains.