Fisher-Price has patched a vulnerability in its smart toys that could have allowed an attacker to gain unauthorized access to children’s personal information.
The Fisher-Price Smart Toy brand is a line of digital stuffed animals that are marketed to children for educational and entertainment purposes. For example, the company’s smart teddy bear comes with a tiny camera hidden on its nose.
The toy’s hidden camera reads a set of smart cards and triggers the bear to tell jokes, share interesting facts with a child, and initiate a number of other play and/or learning activities.
The functionality of Fisher-Price’s smart teddy bear, as well as its other smart toys, is augmented over Wi-Fi via a companion mobile application for parents.
It is through analyzing this web-connected capability that researchers at Rapid7 recently discovered a vulnerability:
“Through analysis of the Fisher-Price Smart Toy at hardware, software, and network levels, it was determined that many of the platform’s web service (API) calls were not appropriately verifying the ‘sender’ of messages, allowing for a would-be attacker to send requests that shouldn’t be authorized under ideal operating conditions.”
The affected APIs allowed an attacker to access a list of a customer’s details, modify children’s profile details, alter the toy list of a customer’s account, and find out if a child was playing with a toy.
An attacker could even find out all children’s profiles, including their name, birthday, and gender.
“While in the particular, names and birthdays are nominally non-secret pieces of data, these could be combined later with a more complete profile of the child in order to facilitate any number of social engineering or other malicious campaigns against either the child or the child’s caregivers.”
Fisher-Price has since patched the vulnerability. According to a statement quoted by The Guardian, the toy company does not believe that any customer’s information was unlawfully accessed at this time:
“We recently learned of a security vulnerability with our Fisher-Price WiFi-connected Smart Toy Bear. We have remediated the situation and have no reason to believe that customer information was accessed by any unauthorized person. Mattel and Fisher-Price take the safety of our consumers and their personal data very seriously, which is why we act quickly to resolve potential vulnerabilities like this.”
Internet-enabled toys pose a serious risk to children’s privacy if the proper precautions are not taken, a point which is evident in the November 2015 hack of electronic toy maker VTech as well as in the discovery that researchers could hack the Hello Barbie doll and compromise children’s privacy.
But as Fisher-Price’s quick fix reveals, there is hope for the future when it comes to the security of IoT toys, as Tod Beardsley, research manager at Rapid7, told Motherboard:
“We’ll get there. We’re in a formative period right now. But in the meantime, I guess, just be careful?”
This caution should consist of deciding whether your child even needs a web-enabled toy to begin with. Sure, a regular stuffed teddy bear might be boring, but at least there’s no risk of attackers using it to spy on your children.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
One comment on “Watch out! Your kid’s internet-enabled teddy bear might be hacked”
'The Fisher-Price Smart Toy brand is a line of digital stuffed animals that are marketed to children for educational and entertainment purposes.'
Yeah and the education includes just how stupid the ideas here are. Unfortunately the students don't really care any more than the teachers. Fisher-Price should bugger off the IoT before they cause more harm (of course they will cause more harm because they don't really care about anything but profit and since these toys sell they get money).
'The toy's hidden camera reads a set of smart cards and triggers the bear to tell jokes, share interesting facts with a child, and initiate a number of other play and/or learning activities. '
I grant you that I'm not a parent and I can't imagine ever being one but that's just laziness or neglect. When a parent can't do these things for their child something is wrong. There are many other ways to teach kids things and also tell jokes. Why not read to the child? Why not teach them to read, encourage them to take an interest in something – anything?
This is teaching relying on technology rather than using your own brain. That's a problem that unfortunately affects many people without them realising it. The less thinking you do yourself the more your brain deteriorates and the harder things become (although I'm sure that some new 'smart' device will save them .. at least if you believe the manufacturers).