February 02, 2016
Researchers at Rapid7 discovered vulnerabilities in Fisher-Price’s Smart Toy and hereO’s GPS platforms that could allow an attacker to collect the personal information of a user.
The Smart Toy is a stuffed animal that connects to an online account via Wi-Fi to provide users with a customizable educational and entertainment experience.
The toy’s platform contained an improper authentication handling vulnerability that could allow an unauthorized user to obtain a child’s name, age, date of birth, gender, spoken language and more, according to a Feb. 2 security blog post.
Many of the platform’s web service application program interface (API) calls didn’t appropriately verify the “sender” of messages and could allow a would-be attacker to send requests that shouldn’t be authorized under ideal operating conditions, according to the post.
In addition to compromising privacy, an attacker could use the bug to launch social engineering campaigns or to force the toy to perform actions that users didn’t intend, the researchers wrote.
The platform in a GPS tracker that allows family members to share their location with each other was also vulnerable to outside manipulation.
The hereO GPS platform contained an authorization bypass vulnerability which could allow an attacker to access every family member’s location, according to the post.
Once exploited, an attacker could discreetly add their account to any family’s network and manipulate notifications through social engineering to avoid detection.
Researchers gave the example of an attacker adding themselves to a family’s network under the “name” ‘This is only a test, please ignore,’ in an attempt to avoid raising suspicion.
Both vulnerabilities were reported to their respective vendors and have since been rectified. Rapid7’s Security Research Manager Tod Beardsley told SCMagazine.com in an email correspondence that these issues didn’t require patches or firmware upgrades.
Beardsley said that both vendors acted “reasonably and responsibly” during the disclosure process. It’s nearly impossible to ship products without some bugs when dealing with the internet of things (IoT) or software in general, he said.
“The goals of companies dedicated to securing personal information should be twofold,” Beardsley said.
”One, make sure that bugs are found in the design and development phases, and two, once vulnerabilities are identified after launch, they are easily and quickly remediated without too much effort by the end users,” he said.
Other IoT toys have been found to pose risks to users as well.
Last year, researchers identified security concerns in Mattel’s Hello Barbie that could allow an attacker to extract, internal Mac addresses, Wi-Fi network names, account IDs, and MP3 files from the popular doll.
ToyTalk, the company that operates the doll’s speech services, reportedly admitted the doll could be hacked but said the vulnerable information did not identify children, nor did it compromise any audio of a child speaking.