Security flaws discovered in smart toys and kids’ watches

Rapid7 researchers have unearthed serious flaws in two Internet of Things devices:

  • The Fisher-Price Smart Toy, a “stuffed animal” type of toy that can interact with children and can be monitored via a mobile app and WiFi connectivity, and
  • The hereO GPS Platform, a smart GPS toy watch that allows parents to track their children’s physical location.

In both cases the problem was with the authentication process, i.e. in the platform’s web service (API) calls.

Fisher-Price Smart Toy

In the first instance, the API calls were not appropriately verified, so an attacker could have sent unauthorized requests and extract information such as customer details, children’s profiles, and more.

“Most clearly, the ability for an unauthorized person to gain even basic details about a child (e.g. their name, date of birth, gender, spoken language) is something most parents would be concerned about. While in the particular, names and birthdays are nominally non-secret pieces of data, these could be combined later with a more complete profile of the child in order to facilitate any number of social engineering or other malicious campaigns against either the child or the child’s caregivers.”

In the second instance, the flaw allowed attackers to gain access to the family’s group by adding an account to it, which would allow them to access the family member’s location, location history, etc.

“We have once again been able to work with vendors to resolve serious security issues impacting their platforms and hope that vendors considering related products are able to take note of these findings so that the overall market can improve beyond just these particular instances,” noted Mark Stanislav, manager of global services at Rapid7.

“This research helps to further underline the nascency of the Internet of Things with regard to information security. While many clever & useful ideas are constantly being innovated for market segments that may have never even existed before, this agility into consumers’s hands must be delicately weighed against the potential risks of the technology’s use,” he added.

“It’s great to see that Fisher Price has reacted so quickly to fix the security vulnerability found in its new Smart Toy. Just last year, the Vtech attack demonstrated how vulnerabilities found in connected toys not only pose a risk to children’s privacy, but also the information security of their parents who may use their details to buy add-ons for that toy or for related services,” commented Paul Farrington, senior solution architect at Veracode.

“This case once again highlights how consumer companies must pay greater attention to application security when building smart devices. Toy manufacturers have been subject to quality standards for decades. These help keep our children safe. When a toy becomes connected to the Internet, a child is exposed to a potentially hostile environment. Regulations have not yet caught-up with the need for good application security. Code security scanning needs to be become a ‘final check’ in all toys that connect to the Web.”