Two Smart-Toy Flaws Give Attackers a Direct Line to Kids' Personal Info

Written by

Two “smart toys,” the Fisher-Price Smart Toy and hereO GPS, have disturbing vulnerabilities—underlining the nascence of the internet of things (IoT) with regard to information security.

Rapid7 researchers have determined that in both, there was an issue with the platform's web service (API) authorization.

The Fisher-Price toy line is a range of digital stuffed animals that provide both educational and entertainment options for children ranging in ages from 3-8 years old.

“While the device is able to function without Internet-connected capabilities, its functionality is enhanced over Wi-Fi through a companion mobile application for parents and updates to device activities,” Rapid7 researchers said, in a blog. “Plus, let's face it, a 'smart' toy doesn't really get very smart without some real-time Internet connectivity!”

But, Rapid7 determined that many of the API calls were not appropriately verifying the "sender" of messages, allowing an attacker to send requests that shouldn't be authorized under ideal operating conditions. As a result, a number of APIs were found to be at risk, enabling an attacker to do a number of things such as find out key customer and children's information, including names, birthdates and more.

Meanwhile the hereO GPS offering consists of a multi-platform mobile application and a cellular-enabled watch that is targeted at use by children ranging in ages from 3-12 years old. Much like a traditional social network, family members can be invited into a group and then have varying levels of access to each other, determined by administrative users. Additional features of this platform include intra-family communication (i.e. messaging), notifications for people coming and/or going from a specific location (i.e. geo fences), and even a panic-alert function.

By abusing an authorization flaw, an attacker could add their account to any family's group, with minimal notification that anything has gone wrong. Once this exploit has been carried out, the attacker would have access to every family member's location, location history and be allowed to abuse other platform features as desired.

Both vendors have addressed the issues, Rapid7 said.

“While many clever and useful ideas are constantly being innovated for market segments that may have never even existed before, putting this agility into consumers' hands must be delicately weighed against the potential risks of the technology's use,” the researchers noted. “It’s critical that vendors creating the next generation of IoT products and platforms leverage industry initiatives, such as and OTA's IoT Trust Framework, to better the security of these technologies before they enter consumers' hands and homes.”

Photo © cjmacer/

What’s hot on Infosecurity Magazine?