Wi-Fi-enabled toys from Fisher Price could have put children's information on the line. Its Smart Toy range has been diagnosed with a security vulnerability that could leak the owners' information to hackers, a security analyst has revealed.
Rapid7's Mark Stanislav shared in a recent publication that Fisher Price's Smart Toy range carried "Vulnerability R7-2015-27: Improper Authentication Handling". This vulnerability arises from a weak authentication and verification system on the toy's platform and could allow hackers access to the toy's details. Data at stake include toy ID, toy name, type and associated child's profile including the name, birth date, gender, language and the toys they play with.
The Smart Toy range includes interactive educational toys for children between the ages of three and eight. Once connected to the internet over the Wi-Fi, the toy can be accessed from a mobile app on the parent's mobile.
When gaining access to the platform, hackers can also alter the information on an account and change the children's profiles. Hackers can also share information about the app on the parent's mobile, determining how actively the parents use the mobile app or if a child is interacting with the toy.
Fisher Price, which was alerted to the issue, said it has fixed the vulnerability. It said "no personally identifiable data" was transmitted by Smart Toy. "We have remediated the situation and have no reason to believe that customer information was accessed by any unauthorized person," it said in a statement to CERT, a cybersecurity team that works closely with the US Department of Homeland Security.
Previously, Mattel's "Hello Barbie" faced a similar vulnerability. As consumers move towards more connected devices driven by the Internet of Things, they are becoming more susceptible to such threats and attacks.
According to a report by the research firm Gartner, in the next four years there would be around 20.8 billion internet-connected devices in use globally.