Attackers could have spied on kids and their families

Feb 2, 2016 20:23 GMT  ·  By

Security and privacy issues affect Fisher-Price's IoT Smart Toy and the hereO GPS children watch line of products, researchers from Rapid7 have revealed.

The Fisher-Price Smart Toy is a relatively new line of plush toys that can interact with children based on dynamic input, and even learn from their experiences. The toy can be connected online to speed up the learning process, but parents can also monitor its status using a mobile app via their local WiFi network.

Smart plush toy uses an insecure API

Rapid7 researchers discovered that the smart toy used an insufficiently secure API when talking to Fisher-Price's servers while it was connected to the Internet.

"The platform's Web service (API) calls were not appropriately verifying the 'sender' of messages, allowing for a would-be attacker to send requests that shouldn't be authorized under ideal operating conditions," researchers explain.

This would have permitted an attacker to query the API and receive responses that they shouldn't have gotten. Attackers could have uncovered a list of all the manufacturer's customers, all the children profiles, and what kind of toy was associated with what account and what child.

Personal details like the kid's name, birth date, gender, and language were also available, along with the current status of the toy (if the child was playing with it).

Additionally, attackers could also delete toy profiles and switch toys from one account to the other, changing their behavior and confusing the children with wrong responses.

The issues were brought to Fischer-Price's attention at the middle of November and fixed by the middle of January, this year.

GPS watch allowed attackers to spy on kids and their family

The second issue researchers discovered was in the hereO GPS Platform, a project funded via IndieGogo, which started shipping its products to project backers only a month ago.

hereO is a family of GPS-enabled kids watches that come with a series of mobile apps that allow parents and other family members to keep track of their child's location across the city.

The hereO mobile apps use the concept of "circles" to manage family members that are allowed and trusted to track a child or group.

Rapid7 researchers discovered that the app's API contained an authentication bypass issue that allowed attackers to request and then grant themselves access to a family circle.

With their newly found access to a family's hereO circle, the attacker would be given access to data, such as the kid's location in real time, their previous locations, and the location of other family members via the GPS feature of their smartphones.

The hereO project fixed these issues on December 15, 2015, after Rapid7 researchers informed their security team of the issue towards the end of October.