TOY MAKER Fisher-Price has found itself at the heart of a grizzly security situation after it was revealed that the firm's Smart Toy bear was leaking data on customers and kids.
Boston-based security outfit Rapid7 uncovered the flaw in the Smart Toy Bear, a cuddly IoT-connected device that remembers information spoken to it by children. The problem arose because of the toy's unsecured APIs that enabled hackers to pilfer information about registered children, such as names, dates of birth, gender and spoken languages.
Security researcher Mark Stanislav said in a blog post outlining the vulnerability that an attacker "could hijack the device's functionality and manipulate account data. They could effectively force the toy to perform actions that the child user didn't intend, interfering with normal operation of the device."
The flaw, which will cause many parents to paws for thought before buying their kids a WiFi-connected cuddly toy, has since been fixed, Fisher-Price said.
The company said in a statement given to The Guardian: "We recently learned of a security vulnerability with our Fisher-Price WiFi-connected Smart Toy Bear. We have remedied the situation and have no reason to believe that customer information was accessed by any unauthorised person.
"Mattel and Fisher-Price take the safety of our consumers and their personal data very seriously, which is why we act quickly to resolve potential vulnerabilities like this."
Rapid7 has been busy hunting for IoT security flaws, and has found another. HereO is a smart GPS watch designed for children. The device facilitates inter-family communication and allows parents to keep an eye on a child's location, but it fell victim to an API flaw which meant that account invitations to a family group were "not adequately protected against manipulation".
The security firm explained in a blog post: "Through the use of a pawn account that an attacker controls, they are able to send a request for authorisation into a family's group they are targeting, but by abusing an API vulnerability allow their pawn account to accept that request on that targeted family's behalf."
These latest security flaws targeting the sensitive information of kids comes just weeks after the high-profile attack on VTech that exposed the private data of 6.5 million children and five million parents. µ
What could possibly go wrong...
Committee clams firm failed to implement 'adequate security'
Meme Ban means Meme Ban
It's anonymous data at first but the NYT figured out how to make it personal