Teddy talk: Fisher-Price’s smart stuffed animals found to have security flaws

Just in time for Christmas last year, a security firm found that Hello Barbie, Mattel’s Wi-Fi-enabled doll with a sweet silver jacket and speech recognition, was vulnerable to hacking. Now Fisher-Price, which is owned by Mattel, has its own toy troubles. Its “Smart Toys” (Internet-connected stuffed animals), have a similar vulnerability, according to security researchers at Rapid7.

The “interactive learning friend,” aimed at kids aged 3-8, listens to and talks back to the child, tells stories and jokes, and knows the weather and news headlines. Whereas a beloved stuffed rabbit could only make a child vulnerable by becoming contaminated with scarlet fever germs, adding Wi-Fi could expose their identities. “It was determined that many of the platform’s web service (API) calls were not appropriately verifying the ‘sender’ of messages, allowing for a would-be attacker to send requests that shouldn’t be authorized under ideal operating conditions,” reports Rapid7. This means an attacker could have gotten the toy’s details (including its toy ID, name, type), accessed the child’s profile (which has data such as name, birthday, gender, and language), changed account details, and seen other information, such as game scores and customer purchases.

“While in the particular, names and birthdays are nominally non-secret pieces of data, these could be combined later with a more complete profile of the child in order to facilitate any number of social engineering or other malicious campaigns against either the child or the child’s caregivers,” Raipd7’s Mark Stanislav wrote in a post about the smart toys’ vulnerabilities.

After Rapid7 contacted Fisher-Price about the issues, the company addressed the problem. Smart watch hereO, meant to help families keep track of each other, also had a vulnerability, researchers found. The GPS platform had an authorization flaw since it was patched; one that could have allowed attackers to send an accept an authorization request. That authorization grants access to family members’ locations and location histories.

It’s a tough time to be a connected kid. Last week, the New York City Department of Consumer Affairs launched an investigation of connected baby monitors, thanks to a Rapid7 report raising security issues.