Amazon and eBay are among retailers pulling a brand of cuddly smart toys from sale after warnings they pose a cyber-security threat.
Concerns were raised about CloudPets products in February 2017 after it was discovered that millions of owners’ voice recordings were being stored online unprotected.
Manufacturer Spiral Toys claimed to have taken “swift action”.
But subsequent research commissioned by Mozilla found other vulnerabilities.
The devices’ California-based maker has not responded to requests for comment.
One independent expert told the BBC it was “great to see retailers acting responsibly”, but added she wished they had done so sooner.
“It seems that refusing to sell products that threaten customers’ security and privacy is the only way to make designers and manufacturers of these products care about these risks,” said Angela Sasse, professor of human-centred technology at University College London.
“The fact that Mozilla had to shame the retailers into this action, more than a year after vulnerabilities were first discovered, is not great.
“Hopefully in future retailers will take such action as soon as shortcomings are demonstrated.”
The CloudPets range includes a number of soft animal toys that are fitted with a microphone and speaker.
These allow children to record their own messages and play back the voice recordings of friends and family members, which are uploaded to the net via a Bluetooth-connected app.
Although Spiral Pets eventually addressed the fact that many recordings had been exposed online, security researcher Troy Hunt revealed last year that it had done so only after being contacted four times about the issue.
In the meantime, he added, the data had been accessed multiple times by unauthorised parties, and had even been held for ransom, before the matter was resolved.
The same month, a London-based company, Context Information Security, revealed it had found another flaw with the toys that meant hackers could trigger their own recordings in order to spy on owners.
“Anyone can connect to the toy, as long as it is switched on and not currently connected to anything else,” Context reported.
“Bluetooth LE typically has a range of about 10m to 30m [33ft to 98ft], so someone standing outside your house could easily connect to the toy, upload audio recordings, and receive audio from the microphone.”
The non-profit Mozilla Foundation – which develops the Firefox browser – subsequently commissioned a German research company to carry out further tests this year.
Cure53 found that the second flaw had not been fixed.
It reported a further problem: the toys’ app referred users to a tutorial website whose domain registration had lapsed.
There was a risk, Cure53 said, that hackers could obtain the web address and use it to mount further attacks on families.
“I’m a mother of two young kids,” Ashley Boyd, vice-president of advocacy at Mozilla told the BBC.
“In a world where data leaks and breaches are becoming more routine and products like CloudPets can sit on store shelves, I’m increasingly worried about my kids’ privacy and security.”
Walmart and Target are among other US companies reported to be halting sales.
UK stores Tesco and The Entertainer also used to stock CloudPets toys, but both appear to have stopped doing so after the earlier reports.
U.S. Supreme Court doesn’t block Texas abortion law, sets hearing
Turkey’s Halkbank can be prosecuted over Iran sanction violations, US appeals court
Israel designates six Palestinian civil society groups as terrorists
Russia’s infections, deaths soar to another record
France urges Iran to curb nuclear activity, resume talks
Science1 week ago
Star Trek’s William Shatner blasts into space
Health1 week ago
U.S. FDA panel endorses booster shot for J&J COVID-19 vaccine
Europe1 week ago
Protests greet debut of Italy’s workplace COVID-19 pass rule
Asia1 week ago
Suicide attack on Shiite mosque in Afghanistan kills 47
U.S6 days ago
Biden: ‘Democracy survived’ U.S. Capitol riot because of police
Canada1 week ago
Canada-U.S. will reopen land border to fully vaccinated visitors in November
Asia5 days ago
Chinese military condemns joint US-Canada warship transit through Taiwan Strait
Entertainment1 week ago
Adele announces release date for new album