Fisher-Price bear could have leaked child's information to hackers
- 8 years ago
BOSTON — Researchers at a Boston-based security company found security flaws connected to a Fisher-Price toy line that would allow a hacker to steal a child's information.
The toy line was created in a collaboration with Smart Toy, a tech company, in September and features three stuffed animals that can learn a child's name, birthday, gender and even language. The stuffed animals can be paired with an app that was advertised as being able to increase child-to-toy interaction.
According to a report released on Feb. 2 by security company Rapid7, when the toy is connected to the Internet, it is vulnerable to would-be hackers.
"It was determined that many of the platform's web service (API) calls were not appropriately verifying the 'sender' of messages, allowing for a would-be attacker to send requests that shouldn't be authorized under ideal operating conditions," the report said.
The report continues, outlining the potential dangers of the unsecured toy including the leak of private information on a child, which could be used to "to facilitate any number of social engineering or other malicious campaigns against either the child or the child's caregivers."
The report also notes that hackers could perform further immediate damages stating, "Additionally, because a remote user could hijack the device's functionality and manipulate account data, they could effectively force the toy to perform actions that the child user didn't intend, interfering with normal operation of the device."
According to the timeline of the report, Fisher-Price was initially notified in November and CERT was notified in December. The company acknowledged the problem in January and has since resolved the issue.
"We recently learned of a security vulnerability with our Fisher-Price WiFi-connected Smart Toy Bear. We have remediated the situation and have no reason to believe that customer information was accessed by any unauthorized person," Fisher-Price said in a statement. "Mattel and Fisher-Price take the safety of our consumers and their personal data very seriously, which is why we act quickly to resolve potential vulnerabilities like this."
-------------------------------------------------------------
Welcome to TomoNews, where we animate the most entertaining news on the internets. Come here for an animated look at viral headlines, US news, celebrity gossip, salacious scandals, dumb criminals and much more! Subscribe now for daily news animations that will knock your socks off.
Visit our official website for all the latest, uncensored videos: http://us.tomonews.net
Check out our Android app: http://bit.ly/1rddhCj
Check out our iOS app: http://bit.ly/1gO3z1f
Get top stories delivered to your inbox everyday: http://bit.ly/tomo-newsletter
Stay connected with us here:
Facebook http://www.facebook.com/TomoNewsUS
Twitter @tomonewsus http://www.twitter.com/TomoNewsUS
Google+ http://plus.google.com/+TomoNewsUS/
Instagram @tomonewsus http://instagram.com/tomonewsus
The toy line was created in a collaboration with Smart Toy, a tech company, in September and features three stuffed animals that can learn a child's name, birthday, gender and even language. The stuffed animals can be paired with an app that was advertised as being able to increase child-to-toy interaction.
According to a report released on Feb. 2 by security company Rapid7, when the toy is connected to the Internet, it is vulnerable to would-be hackers.
"It was determined that many of the platform's web service (API) calls were not appropriately verifying the 'sender' of messages, allowing for a would-be attacker to send requests that shouldn't be authorized under ideal operating conditions," the report said.
The report continues, outlining the potential dangers of the unsecured toy including the leak of private information on a child, which could be used to "to facilitate any number of social engineering or other malicious campaigns against either the child or the child's caregivers."
The report also notes that hackers could perform further immediate damages stating, "Additionally, because a remote user could hijack the device's functionality and manipulate account data, they could effectively force the toy to perform actions that the child user didn't intend, interfering with normal operation of the device."
According to the timeline of the report, Fisher-Price was initially notified in November and CERT was notified in December. The company acknowledged the problem in January and has since resolved the issue.
"We recently learned of a security vulnerability with our Fisher-Price WiFi-connected Smart Toy Bear. We have remediated the situation and have no reason to believe that customer information was accessed by any unauthorized person," Fisher-Price said in a statement. "Mattel and Fisher-Price take the safety of our consumers and their personal data very seriously, which is why we act quickly to resolve potential vulnerabilities like this."
-------------------------------------------------------------
Welcome to TomoNews, where we animate the most entertaining news on the internets. Come here for an animated look at viral headlines, US news, celebrity gossip, salacious scandals, dumb criminals and much more! Subscribe now for daily news animations that will knock your socks off.
Visit our official website for all the latest, uncensored videos: http://us.tomonews.net
Check out our Android app: http://bit.ly/1rddhCj
Check out our iOS app: http://bit.ly/1gO3z1f
Get top stories delivered to your inbox everyday: http://bit.ly/tomo-newsletter
Stay connected with us here:
Facebook http://www.facebook.com/TomoNewsUS
Twitter @tomonewsus http://www.twitter.com/TomoNewsUS
Google+ http://plus.google.com/+TomoNewsUS/
Instagram @tomonewsus http://instagram.com/tomonewsus