Amazon and eBay are among retailers pulling a brand of cuddly smart toys from sale after warnings they pose a cyber-security threat.
Concerns were raised about CloudPets products in February 2017 after it was discovered that millions of owners’ voice recordings were being stored online unprotected.
Manufacturer Spiral Toys claimed to have taken “swift action”.
But subsequent research commissioned by Mozilla found other vulnerabilities.
The devices’ California-based maker has not responded to requests for comment.
One independent expert told the BBC it was “great to see retailers acting responsibly”, but added she wished they had done so sooner.
“It seems that refusing to sell products that threaten customers’ security and privacy is the only way to make designers and manufacturers of these products care about these risks,” said Angela Sasse, professor of human-centred technology at University College London.
“The fact that Mozilla had to shame the retailers into this action, more than a year after vulnerabilities were first discovered, is not great.
“Hopefully in future retailers will take such action as soon as shortcomings are demonstrated.”
The CloudPets range includes a number of soft animal toys that are fitted with a microphone and speaker.
These allow children to record their own messages and play back the voice recordings of friends and family members, which are uploaded to the net via a Bluetooth-connected app.
Although Spiral Pets eventually addressed the fact that many recordings had been exposed online, security researcher Troy Hunt revealed last year that it had done so only after being contacted four times about the issue.
- Children’s messages in CloudPets data breach
- Watch out for hackable toys says expert
- Germany bans children’s smartwatches
In the meantime, he added, the data had been accessed multiple times by unauthorised parties, and had even been held for ransom, before the matter was resolved.
The same month, a London-based company, Context Information Security, revealed it had found another flaw with the toys that meant hackers could trigger their own recordings in order to spy on owners.
“Anyone can connect to the toy, as long as it is switched on and not currently connected to anything else,” Context reported.
“Bluetooth LE typically has a range of about 10m to 30m [33ft to 98ft], so someone standing outside your house could easily connect to the toy, upload audio recordings, and receive audio from the microphone.”
The non-profit Mozilla Foundation – which develops the Firefox browser – subsequently commissioned a German research company to carry out further tests this year.
Cure53 found that the second flaw had not been fixed.
It reported a further problem: the toys’ app referred users to a tutorial website whose domain registration had lapsed.
There was a risk, Cure53 said, that hackers could obtain the web address and use it to mount further attacks on families.
“I’m a mother of two young kids,” Ashley Boyd, vice-president of advocacy at Mozilla told the BBC.
“In a world where data leaks and breaches are becoming more routine and products like CloudPets can sit on store shelves, I’m increasingly worried about my kids’ privacy and security.”
Duty of care
Mozilla shared the findings with digital rights group the Electronic Frontier Foundation, which wrote a letter to US retailers selling the items.
“What CloudPets demonstrates is the potential privacy risks that even a toy with limited connectivity can pose,” it said.
“That’s why we also urge you to consider putting in place new or improved systems to ensure that products you stock, especially those that collect the information of children, have basic practices in place to respect the trust that consumers place in them.”
Although the toys no longer appear on Amazon’s US store, they are still listed on its UK site.
Amazon declined to comment.
Walmart and Target are among other US companies reported to be halting sales.
UK stores Tesco and The Entertainer also used to stock CloudPets toys, but both appear to have stopped doing so after the earlier reports.
The BBC has also contacted Google and Apple, who continue to offer CloudPets’ apps on their stores.
Both said they were looking into the issue.
Update 7 June:
A spokesman for Amazon said Cloudpets’ products have now been removed from its UK site.