Update: Smart Toys Leak Info on Kids, Families

Flaws in connected toys by Mattel and other manufacturers could leak personal information about children and families.
Flaws in connected toys by Mattel and other manufacturers could leak personal information about children and families, research by Rapid7 found.

In-brief: research by the security firm Rapid7 has uncovered security flaws in new, interactive “smart toys” by Fisher Price and other toy makers that could divulge personal information related to children and their families. Editor’s note: this story was updated to include comments from Mark Stanislav of Rapid7. PFR Feb 2, 2016.

Research by the security firm Rapid7 has uncovered security flaws in new, interactive “smart toys” by Fisher Price and other toy makers that could divulge personal information related to children and their families.

The company published information Tuesday that reveals flaws in the Smart Toy® line of connected play things sold by the toy giant Mattel. The flaws could divulge information on the child owner of a toy, including its name, birthdate and e-mail. Research into a line of GPS watches for kids uncovered a way that a remote attacker could gain access to a trusted social network used by the watches.

The research, by Rapid7 researcher Mark Stanislav, is just the latest to raise privacy and security concerns about interactive, Internet-connected “smart toys.” In December, the security firm Bluebox Security said that it discovered security flaws in the mobile application that comes with Mattel’s Hello Barbie. Among other things, the researchers warned that the application was plagued by a myriad of authentication woes that could leak owner passwords, or allow an attacker to re-use stolen credentials to access other, linked web properties.

Stanislav found similar concerns in Mattel’s Smart Toys line of products, which are sold under its FisherPrice brand. By analyzing the toy’s hardware, software and network communications, Rapid7 determined that many of the platform’s web service API (application program interface) calls did not appropriately verify the “sender” of messages. That could allow an attacker to send requests to the toy that otherwise wouldn’t be authorized.

[Read more Security Ledger coverage of connected toys here.]

For example, an attacker could used unauthorized API calls to get the Smart Toys product to divulge a list of customers’ toy details including the toy ID, toy name, toy type, and associated child profile. An attacker could send a command to “find all children’s profiles,” which divulges a child’s name, birthdate, gender, language, and which toys they have played with. The flaws would similarly let an attacker modify the children’s profiles on any customer’s account or monitor when a parent is actively using the mobile application associated with a connected toy or when a child is interacting with their toy.

Stanislav, who recently became a parent, said he chose to look at the FisherPrice Smart Toy line after a security colleague familiar with his work gave him one as a gift at a baby shower.

“I think it was a kind of tongue in cheek gift,” Stanislav said.

Nevertheless, he got to work analyzing the plush toy, tearing it open to expose the brains of the device: a hard plastic case at the center of the toy that contained a system on chip board and other core components.

“The toy didn’t last very long,” he said.

His research soon bore fruit, as Stanislav discovered that the Smart Toys run Google’s Android operating system and contain a hidden USB port that allowed him tp mount and analyze the toy’s file system. As he often does, Stanislav started looking for ways to realize what he called “worst case scenarios.” In the case of the Smart Toy stuffed animals, that would be exposure of personal information on the child or, perhaps, a way for attackers to take control of the toy remotely.

He found evidence that both scenarios were possible. By exploiting flaws in Mattel’s web-based management platform, Stanislav determined that an attacker could extract information parents use to register the device, including the child’s name, gender, language and date of birth.

And, by exploiting flaws in the Smart Toys infrastructure, the same attacker could prank parents and kids: changing the name of the child displayed on the parent’s mobile application – for example: to a curse word – or pairing the child’s toy with an account controlled by an attacker, allowing them to force the toy to play games the child had not chosen, and so on.

While those attacks were benign, they could be disturbing for both parents and children. The exposure of personal information was less benign, he said.

Rapid7 also found flaws in the cloud-based platform used by the hereO GPS kids watch, which is marketed and sold by the UK-based firm KGPS Ltd. The watch allows parents to monitor the whereabouts of children wearing the watch and also supports some basic “social networking” features such as messaging.

According to a release by Rapid7, the web-based platform that is used to support the hereO watch contains an “authorization flaw” in the platform’s web service (API) calls that could allow an attacker to create a fake account and insinuate him or herself into a closed, family network.

“Invitations to a family’s group were not adequately protected against manipulation,” Rapid7 found. Specifically: attackers could use a “pawn” account to abuse the API vulnerability, allowing an attacker to accept a request to “join” the family network on the family’s behalf. While such an attack could not happen without notification to legitimate users, Rapid7 argues that social engineering could allow an attacker to fool family members into ignoring that notification message.

E-mail requests for comments and efforts to reach Mattel and KGPS Ltd. were not returned.  prior to publication. In an automated e-mail response, KGPS said that it was taking the company longer than usual to respond due to a “significant increase in the number of requests.”

This isn’t the first time that Stanislav and Rapid7 have investigated security flaws in technology targeted at children and parents. In September, the firm published research on a range of Internet-connected baby monitors and found evidence of lax security, including weak or hard-coded user names and passwords. In one case, Stanislav uncovered a vulnerability that would allow any user of a connected camera to view camera details for any other user, including video recording details.

Regulators are beginning to take notice. At the Consumer Electronics Show in January, Edith Ramirez, chairwoman of the Federal Trade Commission, and Tom Wheeler, chairman of the Federal Communications Commission, underscored the need for security and privacy protections in connected products. Both urged manufacturers to give consumers a choice over the collection and use of their personal information.

“Internet service providers have a responsibility to make sure information they collect is secure,” Wheeler is reported to have said.

And, in March,  the Federal Trade Commission announced that it is creating a new Office of Technology Research and Investigation to expand research into areas such as privacy, data security, connected cars, smart homes, algorithmic transparency, emerging payment methods, big data, and the Internet of Things.

3 Comments

  1. Not to nitpick here, but it seems like this is a plain old IT security & privacy issue with the cloud half of the service and not an inherent security issue with the thing.

    • A Regular Reader

      Looks like one is, one isn’t. Wondering also if (as it is android) there isn’t some way to get to the one that isn’t remotely, as it is connected online, but not enough to care much – just curious.

  2. Pingback: Smart Toys Leak Info on Kids, Families - iotta