Security Flaw In Fisher Price “Smart Toys” Could Have Left Info For Children, Parents Vulnerable

DNV31-smart-toy-bear-d-1Once upon a time, teddy bears were simple, cute, cuddly friends for youngsters. Today, the seemingly benign toys can talk, hold a conversation, and give away your personal information. Or at least that’s what security experts are saying about the Smart Toy stuffed bear from Fisher Price.

Researchers for security company Rapid7 found several security flaws in the toy that could allow hackers to obtain personal information, such as names, ages, birthdates, genders, and other data, from children.

The vulnerabilities were tied to software that managed how an app used by parents communicated with the servers running the toys, which come in other animals including monkeys and panda bears.

The digital toy pairs with a parent-use app and online accounts to better interact and tailor learning activities for children ages three to eight.

Like the current “worst toy of the year” for 2014, Hello Barbie, the Fisher Price toys adapt to a child over time.

Specifically, the digital line of toys uses a combination of image and voice recognition to identify a child’s voice and to read “smart cards,” that start games and other activities during play. This can all be managed via the parent’s app.

According to Rapid7, the platform’s API calls “were not appropriately verifying the sender of messages, allowing for a would-be attacker to send requests that shouldn’t be authorized under ideal operating conditions.”

Researchers say that while there’s no evidence that the flaw was found by hackers, the ability for an unauthorized person to gain information on a child is concerning.

Rapid7 notified Fisher Price of the issue in December and the problem was fixed.

“We recently learned of a security vulnerability with our Fisher-Price WiFi-connected Smart Toy Bear,” Fisher Price said in a statement to The Guardian. “We have remediated the situation and have no reason to believe that customer information was accessed by any unauthorized person.”

A notice on the company’s website reiterates that point, noting that “NO PERSONALLY IDENTIFIABLE DATA is transmitted by Smart Toy.”

This isn’t the first child-focused product to contain a security flaw. Last year, toy maker VTech announced that a data breach had left the personal information of millions of parents and children vulnerable. Shortly after that, Hello Kitty’s online community suffered a hack, exposing the data for 3.3 million parents and children.

Fisher-Price smart bear allowed hacking of children’s biographical data [The Guardian]
Fisher-Price Smart Toy® & hereO GPS Platform Vulnerabilities (FIXED) [Rapid7]