Researchers with arguably too much time on their hands have discovered security blunders surrounding Fisher-Price Smart Toys and hereO GPS watches for children.
Fortunately, the two sets of vulnerabilities, discovered by security researchers at Metasploit biz Rapid7, have been addressed and fixed by both affected vendors.
Even so, the failure by the toymakers to discover the flaws during quality control before the products left the drawing board, let alone the factory, once again raises concerns about the security of internet and mobile-enabled gadgets and gizmos.
Improper authentication handling by a Wi-Fi-equipped digital stuffed animal from Fisher-Price could have allowed attackers to gain access to basic details about a child – including their name, date of birth, and gender – manipulate account data, and hijack the toy's built-in functionality. Miscreants could connect to the device's backend server on the internet and extract the information required with little resistance.
Rapid7 also found an authorization flaw in the hereO Watch GPS Platform's web service (API). The flaw created a possible means for hackers to add their account to a family's user group, enabling them to see the child's location, history, profile details and even to message them.
Mark Stanislav, manager, global services at Rapid7, commented: "The amount of personal data that consumers willingly provide to vendors can put their personal privacy and security at risk when not properly protected and controlled. Access to individuals' personally identifiable information, Internet-connected devices within their home, and the potential for anonymous interaction with children are all concerns that need to be addressed during the growth of the Internet of Things."
Fisher-Price Smart Toy ... One of the affected toys
"As vendors continue to innovate in the market of connected toys, additional focus must be put on securing the user's privacy and safety," he added.
Stanislav praised both Fisher-Price and hereO for a prompt reaction and response to the reported problems. Other IoT toy vendors should take lessons from the incident and endeavor to bake in basic security controls into products, Rapid7 advises.
"We've seen a significant number of IoT toy vulnerabilities disclosed over the past six months, and we expect this trend will continue as new toys hit the market," Stanislav added. "I can't stress enough how critical a time it is for manufacturers of connected toys – and IoT devices in general – to think about building security in at the development phase." ®