Fisher-Price has patched a vulnerability in its smart toys that could have allowed an attacker to gain unauthorized access to children’s personal information.
The Fisher-Price Smart Toy brand is a line of digital stuffed animals that are marketed to children for educational and entertainment purposes. For example, the company’s smart teddy bear comes with a tiny camera hidden on its nose.
The toy’s hidden camera reads a set of smart cards and triggers the bear to tell jokes, share interesting facts with a child, and initiate a number of other play and/or learning activities.
The functionality of Fisher-Price’s smart teddy bear, as well as its other smart toys, is augmented over Wi-Fi via a companion mobile application for parents.
It is through analyzing this web-connected capability that researchers at Rapid7 recently discovered a vulnerability:
“Through analysis of the Fisher-Price Smart Toy at hardware, software, and network levels, it was determined that many of the platform’s web service (API) calls were not appropriately verifying the ‘sender’ of messages, allowing for a would-be attacker to send requests that shouldn’t be authorized under ideal operating conditions.”
The affected APIs allowed an attacker to access a list of a customer’s details, modify children’s profile details, alter the toy list of a customer’s account, and find out if a child was playing with a toy.
An attacker could even find out all children’s profiles, including their name, birthday, and gender.
“While in the particular, names and birthdays are nominally non-secret pieces of data, these could be combined later with a more complete profile of the child in order to facilitate any number of social engineering or other malicious campaigns against either the child or the child’s caregivers.”
Fisher-Price has since patched the vulnerability. According to a statement quoted by The Guardian, the toy company does not believe that any customer’s information was unlawfully accessed at this time:
“We recently learned of a security vulnerability with our Fisher-Price WiFi-connected Smart Toy Bear. We have remediated the situation and have no reason to believe that customer information was accessed by any unauthorized person. Mattel and Fisher-Price take the safety of our consumers and their personal data very seriously, which is why we act quickly to resolve potential vulnerabilities like this.”
Internet-enabled toys pose a serious risk to children’s privacy if the proper precautions are not taken, a point which is evident in the November 2015 hack of electronic toy maker VTech as well as in the discovery that researchers could hack the Hello Barbie doll and compromise children’s privacy.
But as Fisher-Price’s quick fix reveals, there is hope for the future when it comes to the security of IoT toys, as Tod Beardsley, research manager at Rapid7, told Motherboard:
“We’ll get there. We’re in a formative period right now. But in the meantime, I guess, just be careful?”
This caution should consist of deciding whether your child even needs a web-enabled toy to begin with. Sure, a regular stuffed teddy bear might be boring, but at least there’s no risk of attackers using it to spy on your children.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.