Fisher Price has fixed a security vulnerability in a smart toy after being alerted to its presence by security researchers.
The Fisher-Price Smart Toy is a stuffed animal that provides added functionality via wi-fi through a mobile application installed on parents’ phones, such as device monitoring and learning activities for the child.
Researchers at Rapid7 was able to determine that the API platform – which is built on Android version 4.4 (KitKat) - was not performing adequate verification of messages sent between the device and the app, allowing for unsigned messages to be transmitted between them.
More worryingly, its research uncovered the ability for children’s profiles saved on the companion app to be accessed and edited by hackers. These profiles hold information such as the child’s name, birthday, gender, and spoken language.
Rapid7 passed its findings onto the CERT Division of the Software Engineering Institute in the US and to Fisher-Price, who have since acknowledged the vulnerability and applied a fix.
“We recently learned of a security vulnerability with our Fisher-Price WiFi-connected Smart Toy Bear,” Fisher-Price said in a statement.
“We have remediated the situation and have no reason to believe that customer information was accessed by any unauthorised person.
“Mattel and Fisher-Price take the safety of our consumers and their personal data very seriously, which is why we act quickly to resolve vulnerabilities like this.”
Rapid7 researcher Mark Stanislav hoped manufacturers generally would take note of the Fisher Price incident as an example of the potential risks of producing connected toys.
"I can’t stress enough how critical a time it is for manufacturers of connected toys – and IoT devices in general – to think about building security in at the development phase," he said.