Toys Patched Against Flaws That Put Children’s Data, Safety At Risk

Researchers at Rapid7 disclosed details on patched vulnerabilities in the Web APIs of toys from Fisher-Price and hereO that exposed the personal data of children.

As more devices are connected to the Internet, not only are vulnerabilities introduced into those networked things, but also some glaring holes are exposed in organizations’ ability to receive and triage bug reports.

Researchers at Rapid7 today disclosed details on a pair of vulnerabilities in toys and interactive platforms aimed at children. The two vulnerabilities have been patched by the respective vendors, but only after a bit of homework and coordination between Rapid7, CERT and the toymakers, Fisher-Price and hereO.

“Both are very different companies; Fisher-Price is a household name and hereO is a startup that used a Kickstarter to make this device. They both reacted about the same,” said Tod Beardsley, Rapid7 principal security research manager. “We had to dig a little to get ahold of them and again to explain the vulnerability. Once they got it, the got it, and it was a simple fix.”

Both of the vulnerabilities in Fisher-Price’s Smart Toy Bear and hereO’s GPS platform could be abused to put children’s personal data, and possibly safety, at risk. Working in consumers’ favor is that the flaws were found by researcher Mark Stanislav in the in the respective toys’ Web APIs, meaning that the fix would be applied on the vendor’s end and required no patches on the endpoint.

The Fisher-Price Smart Toy Bear is a stuffed animal that young children can interact with; the bear talks, listens and remembers, according to the Fisher-Price website. It also connects over Wi-Fi to the Internet for new features and updates and it connects to a mobile application. Stanislav found that the Web API improperly handled authentication and specifically were not verifying the sender of messages. An attacker could send requests that should not be authorized, Stanislav said in an advisory published today.

The impact could be that an attacker could learn details about users, including children’s profiles, which include names, dates of birth, gender, language and any toys purchased. The information could be enough to build a profile that could be used in a social engineering scam targeting the child or parents, Rapid7 said.

The hereO platform is the backbone of a watch for children that includes a GPS, SIM card and UPS connector. Parents can use these features to track a child’s whereabouts. Rapid7 found an authorization bypass flaw in the Web API of the device that allows an attacker to invite and accept themselves into a family group; the platform supports messaging, location features and panic alerts for members of each respective group.

“The vulnerability was patched within 4 hours of identification, we had yet to commence shipping of our GPS watches at the time, and most importantly, we can confirm that none of our users’ data or security was compromised.” Eli Shemesh, CTO hereO

A successful exploit could enable an attacker to learn the location of anyone in the group and more.

“With the herO, a successful attacker can locate kids, which is hugely creepy. With the Fisher-Price toy, an attacker can build a database of kids’ names and dates of birth, which by themselves are not secrets but can be more useful for more traditional attackers,” Beardsley said. “With kids’ names and birthdays, you get details about kids which can help with scams and phishing attempts. Kids names and birthdays are also useful for secret questions and password generators in peoples’ brains where people use their kid’s names and the year they were born, which of course are terrible passwords.”

Another more subtle vulnerability in both toys is that anyone can register for an account without having purchase the toys, Beardsley said.

“Some toys come with a code that you have to enter as proof that you bought it. These didn’t,” Beardsley said. “The barrier to entry is minimal. And once you’re there, all you have to do is inspect the web API and see what the requests and responses are.”

In the meantime, as more devices are networked, it’s unlikely to think security can be baked in from the start.

“It’s impossible write software without bugs, and some of those bugs are going to have security implications,” Beardsley said. The important thing is the response. It shouldn’t take a Herculean effort to find who to talk to and when you do, you shouldn’t have to wonder if this is the day I’m named in a lawsuit. This is a worry every time.”

Suggested articles