Security Flaw Found in Fisher-Price Smart Toys


Teddy bears and pandas that could talk were easily hacked.

Security vendor Rapid7 on Feb 2. disclosed a security flaw in Fisher-Price Smart Toys that could have allowed a hacker to access a child’s personal information from toys such as a talking teddy bear.

According to EWeek, the flaw, dubbed CVE-2015-8269, involves a poorly secured Web API and improper authentication that would allow anyone to assume any User ID.

On their website, Rapid7 said they notified Fisher Price of the issue in early November and that the company pushed a patch to fix them late last month. In addition to the risk of a hacker obtaining personal information, the flaw could have allowed the toy to be hijacked, and functionality controlled by a remote source, which could have resulted in the toys being forced to perform in ways not intended by the child or parent. The hacker could also tell if the toy was currently being used and what game packs it had attached to it.

Related: Why IoT device security remains abysmal

On the information page for Fisher-Price smart toys, which include the talking teddy bear, panda, and monkey, the company states that they have partnered with security firm Synack to insure the privacy and safety of their customers. They assured that no voice or visual data is transferred over the Internet and that all game downloads are done over encrypted connections.

This is just the latest in a series of security issues affecting IoT devices. Other popular toys that made headlines include Hello Barbie, which earned Mattel a lawsuit after security researchers at Bluebox revealed that it is vulnerable to being hacked. Security flaws in Hello Barbie could have allowed hackers to eavesdrop on conversations the child is having and control what the doll says. Meanwhile, Sanrio admitted that it was storing user info for the “Hello Kitty” website on a non-secured server that anyone who knew the address could access.

Both Sanrio and Mattel say they have since addressed and repaired the flaws and claim there is no evidence that any user information was compromised.

Want more? Check out our most-read content:

White Paper: How to ‘Future-Proof’ a Streaming Analytics Platform
Research from Gartner: Real-Time Analytics with the Internet of Things
E-Book: How to Move to a Fast Data Architecture
The Value of Bringing Analytics to the Edge
Adidas Turns to Graph DB to Power E-commerce
How In-Memory Data Grids Turbocharge Analytics

Liked this article? Share it with your colleagues!

Leave a Reply

Your email address will not be published. Required fields are marked *