The consumer body, whose resident hackers found they could easily send text and audio messages through the toys, notes that while Bluetooth is typically limited to a distance of 10 metres, the range could be extended and picked up by hackers further away.
Alex Neill, managing director of home products at Which?, said: "You wouldn't let a young child play with a smartphone unsupervised and our investigation shows parents need to apply the same level of caution if considering giving a child a connect toy". Security experts warned that some toys which used Bluetooth wireless technology had few or no security measures.
Consumer groups are calling on retailers to take these "connected" or "intelligent" toys, which could put children's safety at risk, off the shelves immediately.
Toy-fi Teddy allows a child to send and receive personal recorded messages over Bluetooth via a smartphone or tablet app. Which? found the Bluetooth connection lacked any authentication protections, meaning hackers could send voice messages to a child and receive answers.
Which? found someone could hack CloudPets via its unsecured Bluetooth connection and make it play their own voice messages.
I-Que maker Vivid Imaginations said there had been no reports of any malicious use of its products, but it would be reviewing Which?'s findings. "If that can't be guaranteed, then the products should not be sold".
A spokesperson for Hasbro, which makes the Furby Connect, said that children's privacy was a "top priority" and that they were created to comply with children's privacy laws.
Which? has called for all connected toys with known privacy or security issues to be taken off sale before parents begin their Christmas shopping.
"These toys typically contain sensors, microphones, cameras, data storage components, and other multimedia capabilities-including speech recognition and Global Positioning System options", the agency wrote in the advisory, cautioning that certain toys could be hacked to record video and audio of children without their parents' knowledge. It said: "We believe that [hacking into the toy] would require close proximity to the toy, and that there are a number of very specific conditions that would all need to be satisfied in order to achieve the result described".
'A tremendous amount of engineering would be required to reverse engineer the product as well as to create new firmware.
IT Pro has asked for comment from Spiral Toys, which makes the Toy-fi Teddy, and CloudPets, but the companies have yet to issue a comment on Which?'s report.
The British Toy and Hobby Association said in a statement that it will monitor these toys to ensure that they're safe.