IoT Vulnerability Discovered in Children's Connected Toy
Your child’s toy may not be the first thing you think about when it comes to Internet security. However, hackers could have used Internet-connected teddy bears to gain access to your personal information.
News of this latest vulnerability comes courtesy of Mark Stanislav at Boston-based security firm Rapid7, who released a security alert about the Fisher-Price Smart Toy as well as the hereO GPS platform today. Both companies have since fixed the issues, according to Rapid7. Nevertheless, the news is a stark reminder of just how prevalent security flaws can be in consumer products.
Hacking Stuffed Animals
The Fisher-Price Smart Toy, for example, is a stuffed animal (pictured above) with Internet connectivity geared toward children ages 3 to 8. There were some serious vulnerabilities in the device that could have potentially allowed someone to steal a child’s personal info by attacking the toy, according to the security notice.
“Through analysis of the Fisher-Price Smart Toy at hardware, software, and network levels, it was determined that many of the platform's Web service (API) calls were not appropriately verifying the 'sender' of messages, allowing for a would-be attacker to send requests that shouldn't be authorized under ideal operating conditions,” Stanislav wrote in his security update.
The vulnerability could have enabled the hacker to find the profile of the child associated with the toy, including name, birthdate, gender, language, and which toys the child had played with. Attackers could have also gained access to information about the purchases that customers had made.
“The ability for an unauthorized person to gain even basic details about a child (e.g.. their name, date of birth, gender, spoken language) is something most parents would be concerned about,” Stanislav said. “While in the particular, names and birthdays are nominally non-secret pieces of data, these could be combined later with a more complete profile of the child in order to facilitate any number of social engineering or other malicious campaigns against either the child or the child's caregivers.”
Tracking Family Members’ Whereabouts
The hereO GPS Platform, meanwhile, is a consumer device designed to keep family members connected and allow them to keep track of each others’ locations and activities, particularly in the case of children ages 3 to 12. The security flaw discovered by Rapid7 could have allowed an attacker to gain access to every family member’s location, location history, as well as abuse other platform features as desired.
“This research helps to further underline the nascency of the Internet of Things with regard to information security,” Stanislav said. “While many clever and useful ideas are constantly being innovated for market segments that may have never even existed before, this . . . must be delicately weighed against the potential risks of the technology's use.”
Image Credit: Fisher-Price.