My Friend Cayla was found to be equipped with an insecure Bluetooth device, which cybercriminals could hijack, in order to steal personal data and listen and talk to the child playing with it.
Germany’s Federal Network Agency (Bundesnetzagentur) has now warned parents to destroy it, according to the BBC.
The doll answers users’ questions by accessing the web, but also asks for sensitive personal information, such as the user’s name, school, parents’ names and hometown.
A coalition of campaign groups last year filed a complaint with the Federal Trade Commission against Genesis, the company behind My Friend Cayla, alleging that the toys wrongfully collect data from children and sent it to Nuance Communications, a speech-recognition company that built the toy’s accompanying app.
Similar concerns were raised about the i-Que Intelligent Robot, also created by Genesis.
“Researchers discovered that by connecting one phone to the doll through the insecure Bluetooth connection and calling that phone with a second phone, they were able to both converse with and covertly listen to conversations collected through the My Friend Cayla and i-Que toys,” read the FTC complaint.
Student Stefan Hessel first raised legal concerns about My friend Cayla, telling Netzpolitik.org that a hacker could connect to its speaker and microphone system with a Bluetooth-enabled device from a range of 10m.