Vulnerabilities in Fisher-Price Smart Toys
Rapid7 has found vulnerabilities in Fisher-Price Smart Toys and childrens’ GPS
watches made by hereO. The vulnerabilities have been addressed and fixed by the
In the case of the Fisher-Price Smart Toy (a digital stuffed animal), improper
authentication handling could have allowed attackers to gain access to basic details
about a child including their name, date of birth, and gender, manipulate account
data and hijack the toy’s built-in functionality.
Rapid7 also found an authorisation flaw in the hereO GPS Platform’s web service
(API). By abusing this vulnerability, an attacker would have been able to add their
account to a family’s user group, enabling them to see the child’s location,
history, profile details and even message them.
The research once again highlights the potential risks associated with the Internet
of Things, and the need for vendors to leverage industry initiatives to better the
security of new IoT technologies before they enter consumers’ hands and homes.
Mark Stanislav, Manager, Global Services at Rapid7, comments:
“The amount of personal data that consumers willingly provide to vendors can put
their personal privacy and security at risk when not properly protected and
controlled. Access to individuals’ personally identifiable information,
Internet-connected devices within their home, and the potential for anonymous
interaction with children are all concerns that need to be addressed during the
growth of the Internet of Things. As vendors continue to innovate in the market of
connected toys, additional focus must be put on securing the users’ privacy and
“The good news here is that both Fisher-Price and HereO, in coordination with CERT,
have acknowledged and fixed the identified flaws in their products. It’s very
encouraging to see these companies taking security seriously and fixing quickly.
We’ve seen a significant number of IoT toy vulnerabilities disclosed over the past
six months, and we expect this trend will continue as new toys hit the market. I
can’t stress enough how critical a time it is for manufacturers of connected toys –
and IoT devices in general – to think about building security in at the development
phase. Translation: All is not lost, but the time to act is now.”
Image Source: Pixbay.com