From the Star Wars BB-8 droid to smartwatches for children, new cybersecurity research suggests that many products placed under Christmas trees this year can easily be hacked.
Experts have warned that some popular toys – including drones, RC cars and educational devices – could be exploited to spy on children, due to a slew of shocking security vulnerabilities.
These included the Q50 smart tracking watch, Mass Effect: Andromeda RC car, Sky Viper drone, AirHogs car, Cognitoys Dino and the Star Wars BB-8 droid.
"It was shockingly simple to take full control of these toys," Lewis said. "This opens up a number of frightening scenarios where anyone [...] can discover vulnerable Wi-Fi enabled toys, and can hack into these devices with the intent of violating a child's privacy or worse."
Upon analysis, the researcher said the Q50 Smart Tracking Watch was "fundamentally not secure" and that any child wearing the product is in danger of being hacked.
Bugs in the watch allow an attacker to "intercept all communications", remotely listen to a child's surroundings and fake a child's location, the paper, published Friday (9 December), revealed.
The product had no authentication and encryption, and research suggested that flaws could let hackers send messages to the watch. It had a default password of 123456, Lewis added.
With a new Star Wars movie on the horizon, the BB-8 droid will no doubt be a popular gift this year. Research found that, like most Bluetooth devices, it had "no authentication mechanism".
Lewis wrote that a lack of protection meant it was "fairly trivial" for a hypothetical attacker to gain control of the device's movement, and also to change its colour using built-in feature.
But luckily for users, there is little else a hacker could do to exploit the child-friendly BB-8 toy other than make it zip from a user's control and go rogue across the room.
The Mass Effect: Andromeda RC car, however, was at high risk of hacking – taking under 15 minutes to compromise. Thanks to no encryption, attackers could intercept live video streams using the built-in camera and even infect the toy with malware via dodgy software updates.
The Sky Viper drone left video streams at risk via WiFi networks. The Cognitoys Dino – an educational toy – left communications open to interception. And lastly, the AirHogs car's camera system could be used to snoop.
Manufacturers of the toys with high-risk security bugs were contacted by Top10VPN – the company which commissioned the study - before the report's publication.
But Top10VPN said that none responded.
"These shocking findings must serve as a wake-up call to the toys industry and regulators to prevent children from being put at risk," said Simon Migliano, head of research for Top10VPN.
"Until there is a security standard that must be met by all connected toy manufacturers, we would urge parents to think very carefully about buying any smart products for their children.
He added: "It's easy to get caught up in the fun of toys that have increasingly sophisticated functionality built in, but given what we've managed to do with the six toys we tested, as a parent myself, I certainly would not expose my children to this kind of danger."