Skip to main content
  1. Home
  2. Smart Home
  3. Wearables
  4. News

Teddy talk: Fisher-Price’s smart stuffed animals found to have security flaws

Jenny McGrath
By

fisher price smart toys found to have security vulnerabilities
Just in time for Christmas last year, a security firm found that Hello Barbie, Mattel’s Wi-Fi-enabled doll with a sweet silver jacket and speech recognition, was vulnerable to hacking. Now Fisher-Price, which is owned by Mattel, has its own toy troubles. Its “Smart Toys” (Internet-connected stuffed animals), have a similar vulnerability, according to security researchers at Rapid7.

The “interactive learning friend,” aimed at kids aged 3-8, listens to and talks back to the child, tells stories and jokes, and knows the weather and news headlines. Whereas a beloved stuffed rabbit could only make a child vulnerable by becoming contaminated with scarlet fever germs, adding Wi-Fi could expose their identities. “It was determined that many of the platform’s web service (API) calls were not appropriately verifying the ‘sender’ of messages, allowing for a would-be attacker to send requests that shouldn’t be authorized under ideal operating conditions,” reports Rapid7. This means an attacker could have gotten the toy’s details (including its toy ID, name, type), accessed the child’s profile (which has data such as name, birthday, gender, and language), changed account details, and seen other information, such as game scores and customer purchases.

“While in the particular, names and birthdays are nominally non-secret pieces of data, these could be combined later with a more complete profile of the child in order to facilitate any number of social engineering or other malicious campaigns against either the child or the child’s caregivers,” Raipd7’s Mark Stanislav wrote in a post about the smart toys’ vulnerabilities.

After Rapid7 contacted Fisher-Price about the issues, the company addressed the problem. Smart watch hereO, meant to help families keep track of each other, also had a vulnerability, researchers found. The GPS platform had an authorization flaw since it was patched; one that could have allowed attackers to send an accept an authorization request. That authorization grants access to family members’ locations and location histories.

It’s a tough time to be a connected kid. Last week, the New York City Department of Consumer Affairs launched an investigation of connected baby monitors, thanks to a Rapid7 report raising security issues. 

Editors' Recommendations

Video-editing app LumaFusion to get a Galaxy Tab S8 launch

A tablet featuring the LumaFusion video editing app.

CBS is wrong. Hackers are unlikely to burglarize a smart home

wyze lock bolt smart fingerprint scanner finger

WyzeCam’s security flaw should not have been kept secret

WyzeCam hands-on review center

Nest vs. Ecobee: Which is the better smart thermostat?

Ecobee4 smart on a living room wall.

Smart lighting for safety and security

Wyze Cam Floodlight on the corner of a brick house.

With Tesla bleeding money, Elon Musk initiates hardcore spending review

Elon Musk talks to the press as he arrives to to have a look at the construction site of the new Tesla Gigafactory near Berlin.

The best gaming speakers for 2022: Improve the sound on your PC or game console

A Logitech speaker sitting beside a desktop computer.

The best OLED laptops for 2022

The Dell XPS 13 Plus on a table outside.

Elon Musk’s Starlink satellites hacked by $25 homemade device

A Starlink dish next to an RV.

The best ultrawide monitors for 2022

A LG ultradwide monitor.

Best smartwatch deals for August 2022

Best Samsung Galaxy Watch deals for August 2022

Galaxy Watch 4 Classic (left) and Galaxy Watch 3 (right).

Best Peloton alternatives for August 2022

L Now Indoor Exercise Bike