Fisher Price Toys and childrens' watches can be hacked
The devices made by HereO and Fisher Price have now been fixed, Rapid7 has revealed
Security firm Rapid7 has uncovered vulnerabilities in a number of childrens' products, although the company claims they have now been patched.
Rapid7 discovered a vulnerability in the Fisher Price Smart Toy, a range of cuddly soft bears that claim to educate and engage children. The toy's "web service (API) calls were not appropriately verifying the sender" of messages," the report revealed, meaning an attacker could send requests to the device without authorisation.
Specifically, it was possible to obtain the child's name, birthdate, gender, language, and which toys they have played with, create, edit, or delete children's profiles on an account, change the toys related to an account, find out whether a parent is using their associated mobile app and look at the purchases made by a customer, scores for games played on the toy and which game packs had been downloaded.
"Most clearly, the ability for an unauthorized person to gain even basic details about a child (e.g. their name, date of birth, gender, spoken language) is something most parents would be concerned about," Mark Stanislav, manager, global services at Rapid7, said in his blog.
"While in the particular, names and birthdays are nominally non-secret pieces of data, these could be combined later with a more complete profile of the child in order to facilitate any number of social engineering or other malicious campaigns against either the child or the child's caregivers."
The HereO GPS watch is also open to attack, Rapid7 explained.
"By abusing this vulnerability, an attacker could add their account to any family's group, with minimal notification that anything has gone wrong. These notifications were also found to be able to get manipulated through clever social-engineering by creating the attacker's 'real name' with messages such as, 'This is only a test, please ignore.'" Stanislav addesd.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Once the exploit has been attacked, information including every family member's location, or location history could be uncovered and can be used to abuse the platform.
Both Fisher Price and HereO said they have fixed the vulnerabilities uncovered by Rapid7. However, it serves as a stark warning to both parents and manufacturers.
"The amount of personal data that consumers willingly provide to vendors can put their personal privacy and security at risk when not properly protected and controlled," Stanislav said.
"Access to individuals' personally identifiable information, Internet-connected devices within their home, and the potential for anonymous interaction with children are all concerns that need to be addressed during the growth of the Internet of Things. As vendors continue to innovate in the market of connected toys, additional focus must be put on securing the users' privacy and safety."
This is the latest in a long string of vulnerabilities found in childrens' toys. In the last few months, VTech's educational platform was hacked, as was Hello Barbie, which could be used to spy on children.
Security experts have now warned parents to be aware of the risk posed by connected toys.
Clare is the founder of Blue Cactus Digital, a digital marketing company that helps ethical and sustainability-focused businesses grow their customer base.
Prior to becoming a marketer, Clare was a journalist, working at a range of mobile device-focused outlets including Know Your Mobile before moving into freelance life.
As a freelance writer, she drew on her expertise in mobility to write features and guides for ITPro, as well as regularly writing news stories on a wide range of topics.