Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Network Security / IoT Flaw Found in Kids' Smart Toy
IoT Vulnerability Discovered in Children's Connected Toy
IoT Vulnerability Discovered in Children's Connected Toy
By Jef Cozza / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
Your child’s toy may not be the first thing you think about when it comes to Internet security. However, hackers could have used Internet-connected teddy bears to gain access to your personal information.

News of this latest vulnerability comes courtesy of Mark Stanislav at Boston-based security firm Rapid7, who released a security alert about the Fisher-Price Smart Toy as well as the hereO GPS platform today. Both companies have since fixed the issues, according to Rapid7. Nevertheless, the news is a stark reminder of just how prevalent security flaws can be in consumer products.

Hacking Stuffed Animals

The Fisher-Price Smart Toy, for example, is a stuffed animal (pictured above) with Internet connectivity geared toward children ages 3 to 8. There were some serious vulnerabilities in the device that could have potentially allowed someone to steal a child’s personal info by attacking the toy, according to the security notice.

“Through analysis of the Fisher-Price Smart Toy at hardware, software, and network levels, it was determined that many of the platform's Web service (API) calls were not appropriately verifying the 'sender' of messages, allowing for a would-be attacker to send requests that shouldn't be authorized under ideal operating conditions,” Stanislav wrote in his security update.

The vulnerability could have enabled the hacker to find the profile of the child associated with the toy, including name, birthdate, gender, language, and which toys the child had played with. Attackers could have also gained access to information about the purchases that customers had made.

“The ability for an unauthorized person to gain even basic details about a child (e.g.. their name, date of birth, gender, spoken language) is something most parents would be concerned about,” Stanislav said. “While in the particular, names and birthdays are nominally non-secret pieces of data, these could be combined later with a more complete profile of the child in order to facilitate any number of social engineering or other malicious campaigns against either the child or the child's caregivers.”

Tracking Family Members’ Whereabouts

The hereO GPS Platform, meanwhile, is a consumer device designed to keep family members connected and allow them to keep track of each others’ locations and activities, particularly in the case of children ages 3 to 12. The security flaw discovered by Rapid7 could have allowed an attacker to gain access to every family member’s location, location history, as well as abuse other platform features as desired.

“This research helps to further underline the nascency of the Internet of Things with regard to information security,” Stanislav said. “While many clever and useful ideas are constantly being innovated for market segments that may have never even existed before, this . . . must be delicately weighed against the potential risks of the technology's use.”

Image Credit: Fisher-Price.

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.