Everyone knows that as more things become ‘connected,’ the more at risk we are of being hacked. A report from last year showed that Mattel’s latest Wi-Fi enabled Barbie could easily be exploited by attackers, allowing them to spy on users and listen in on conversations, and toy maker VTech suffered a data breach in November that included many photos and chat logs involving children. Now, it seems that more vulnerabilities have been exposed in products aimed at kids, this time in Fisher-Price’s “Smart Toys” range and a line of hereO GPS watches.
The flaws, which were published in a blog from security firm Rapid7, have since been addressed and fixed by both sets of vendors, but they are yet another example of internet-enabled products being released with glaring security holes.
The problem with the Fisher-Price toys was that many of the platform’s web service (API) calls were not appropriately verifying the sender of messages, this meant that would-be attackers could have sent requests that should not otherwise have been authorized. From here, a hacker could find all customers’ accounts and associated children’s profiles – including name, birthdate, gender, language, which toys they played with, and more.
While the vulnerability may not have been as severe as some of the others we have seen, it’s been pointed out that this information “could be combined later with a more complete profile of the child in order to facilitate any number of social engineering or other malicious campaigns.”
In Rapid7’s post, researcher Mark Stanislav said that an attacker "could hijack the device's functionality and manipulate account data, they could effectively force the toy to perform actions that the child user didn't intend, interfering with normal operation of the device."
In a statement, Mattel, which owns Fisher Price, said: “We recently learned of a security vulnerability with our Fisher-Price WiFi-connected Smart Toy Bear. We have remediated the situation and have no reason to believe that customer information was accessed by any unauthorized person. Mattel and Fisher-Price take the safety of our consumers and their personal data very seriously, which is why we act quickly to resolve potential vulnerabilities like this.”
The second security flaw revealed by Rapid7 could have resulted in a more direct threat. The hereO GPS platform lets families keep track of each other through the use of a mobile app and cellular-enabled watches. Like the Fisher-Price toys, an authorization flaw was found in the platform’s web service. This could have allowed a hacker to trick a family and add themselves to their group, enabling them to see each person’s location, history, profile details and even message them.
The hereO issue was fixed on December 15 after Rapid7 submitted the initial report on November 2. Stanislav praised both companies for their speedy response to the reported problems.
"We've seen a significant number of IoT toy vulnerabilities disclosed over the past six months, and we expect this trend will continue as new toys hit the market," Stanislav added. "I can't stress enough how critical a time it is for manufacturers of connected toys – and IoT devices in general – to think about building security in at the development phase."
Update (Feb 7): In regards to hereO's vulnerability, the company issued the following statement: "The vulnerability was patched within 4 hours of identification, we had yet to commence shipping of our GPS watches at the time, and most importantly, we can confirm that none of our users' data or security was compromised." Eli Shemesh, CTO hereO.