When toy creators Mattel’s Fisher- Price brand introduced Smart Toy—a stuffed bear designed to be an interactive playmate to kids—security experts were quick to say that it is, in fact, hackable. Boston-based researchers have proven this to be more than just a hunch with the discovery of security flaws found in the app that exposes sensitive data from a child’s name, birthdate, and gender.
As of this writing, the brand has managed to fix the issue and stressed no account information was stolen by any unauthorized party. In a statement, Fisher-Price noted, “We recently learned of a security vulnerability with our Fisher-Price WiFi-connected Smart Toy Bear. We have remediated the situation and have no reason to believe that customer information was accessed by any unauthorized person. Mattel and Fisher-Price take the safety of our consumers and their personal data very seriously, which is why we act quickly to resolve potential vulnerabilities like this.”
The Smart Toy Bear, made by the company for children ages 3 to 8, is “an interactive learning friend that talks, listens, and ‘remembers’ what your child says and even responds when spoken to”. This is done by connecting to the Internet through a WiFi connection. The security hole was found in its app, which serves as a link that allows parents to communicate with system servers. The flaw, according to researchers, fails to secure data stored in a remote server, thus allowing any hacker or bogus customer to gain easy, unauthorized access. Further, cybercriminals could potentially use the flaw to their advantage to mine information from a target family and lure them into giving more with a phishing attack.
While the flaw is not considered critical, the discovery seeks to create awareness and discussion on how consumers potentially put their privacy and security in peril now that everything is getting “smartified”. Late last year, news of the growing number of security incidents and tests concerning smart toys began to reach public consciousness. The most notable incident, the VTech breach in December 2015, exposed names, birthdays, account information, and even 190 GB-worth of photos of 6 million of its customers from the company’s application database. In the same month, Mattel’s Hello Barbie was discovered by researchers to have a flaw that could let hackers listen in on communications between the toy and servers it is linked to.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).