My Friend Cayla Doll, Other Toys, Hackers’ Delight and Parents’ Nightmare

my friend cayla hackers
Share the knowledge

If your child, or someone you know, received a My Friend Cayla doll, a Furby Connect doll, a Q50 children’s smartwatch, or a Sphero BB-8 droid (or quite likely one of a number of other toys or devices aimed at children, and that connect to the Internet via Bluetooth), that device – and thus the child who plays with it or uses it – is at risk of being hacked, personal data stolen, and even a hacker talking to the child, all because of unsecure Bluetooth connections.

In fact, the issues with My Friend Cayla are so severe that Germany’s Bun­desnet­za­gen­tur (Germany’s Federal Network Agency that oversees, among other things, telecommunications and other aspects of technology) pulled the My Friend Cayla doll off the market in Germany completely, calling My Friend Cayla “an illegal espionage apparatus” and urging parents whose child had the doll to destroy it.

That act by the Bun­desnet­za­gen­tur happened near the beginning of 2017, but that didn’t stop other markets, including the U.S., from continuing to market My Friend Cayla.

In the UK, when the matter was brought to light, the UK’s Toy Retailers Association pooh poohed the concerns, saying that My Friend Cayla offered “no special risk,” and adding that “we would always expect parents to supervise their children at least intermittently.”

Yet according to the BBC it had been already been demonstrated that a “hack allowing strangers to speak directly to children via the My Friend Cayla doll has been shown to be possible.”

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link

Essentially, the issue is that when the doll is powered on, if it is not already connected to a specific device via Bluetooth, any device within a 50-foot radius can connect to it. The same is true for the Furby Connect (heck, ‘Connect’ is right in its name), the BB-8 droid, and the Q50 watch.

While Amazon has since pulled the doll, My Friend Cayla was available on Amazon during 2017. It’s not clear whether Amazon stopped selling the beleaguered doll because of the hacking and privacy concerns, or because the reviews for the doll – which had been quite good – tanked once the issues came to light.

my friend cayla amazon review 1


my friend cayla amazon review 2


my friend cayla amazon review 3


That said, the My Friend Cayla Amazon pages are still viewable in Google cache, which suggests that they weren’t pulled down all that long ago.

The doll is still available at other online shopping sites such as RepairUniverse and, of course, eBay.

We also note that the Furby Connect, Q50 watch, and BB8 droid are still available on Amazon.

So, what should parents do?

Jeffrey Esposito, over at Kaspersky Lab, has great advice for parents in his article about the connected toys issue generally, and about My Friend Cayla specifically.

This is something that falls under individual preference, but here’s what I like to do when buying toys for my kids or looking at the gifts they receive on birthdays or Christmas:

  1. Decide if the device needs to be online. Usually this is a No for me, but there are some exceptions.
  2. Determine what the app/toy is looking to collect. Some of the sites that we have looked at that tie to our kids toys ask for frightening amount of info: birth date, address, name, sibling names, and geolocation, for example. Identity thieves salivate over this.
  3. See if you can change the default password of the device. Believe it or not, my kids got a toy that could project stories on the ceiling, but it also asked for you to remove Wi-Fi passwords from the network and also let it override your phone security settings because it could not store complex passwords.
  4. Decide your comfort level and if your kids really need the item.
  5. Remember that we are living in a digital age, and all devices and sites with valuable information are targets.
  6. Read reviews and look up security notes on the toy.

These are great points, and we couldn’t have said it better ourselves.

You can read his whole article about the My Friend Cayla issues here.

Get New Internet Patrol Articles by Email!

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link


Share the knowledge

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.