The Internet of Things increasingly includes “smart toys,” but no parent knowingly purchases a toy for their child that potentially risks the safety and privacy of their family. Those risks are caused by security flaws found in the Internet-connected toys. Unlike “dumb” toys, hackers could exploit “smart” toy vulnerabilities and potentially harvest a child’s name, birthdate, location and more.
Bugs in a smart bear
Mark Stanislav, manager of security advisory services at Rapid7, discovered bugs in the $100 Fisher-Price Smart Toy, bugs that a hacker could exploit to find kids’ profiles with their name, birthdate and more. The WiFi-connected stuffed toy “can talk, listen, and learn,” and comes with an app that parents can use to schedule playtime activities, daily helpers and more.
The security issues had to do with how the app communicated with servers as the Web API improperly handled authentication. Rapid7 reported a list of APIs that mishandled authorization with associated risks ranging from finding “all children's profiles, which provides their name, birthdate, gender, language, and which toys they have played with” to hijacking the “device’s built-in functionality.”
As for the impact, Rapid7 wrote:
Most clearly, the ability for an unauthorized person to gain even basic details about a child (e.g. their name, date of birth, gender, spoken language) is something most parents would be concerned about. While in the particular, names and birthdays are nominally non-secret pieces of data, these could be combined later with a more complete profile of the child in order to facilitate any number of social engineering or other malicious campaigns against either the child or the child's caregivers.
Additionally, because a remote user could hijack the device's functionality and manipulate account data, they could effectively force the toy to perform actions that the child user didn't intend, interfering with normal operation of the device.
Tod Beardsley, Rapid7’s security research manager, said, “This is an easy mistake. You wouldn’t find these bugs today from places like Google, Microsoft.”
The flaws were discovered by Stanislav in November with the vendor fixing the issues on January 19.
Flaws in kid-tracking watch open unauthorized access to child’s location
The hereO GPS watch, which started as an Indiegogo campaign, is a real-time tracking device for small children. The watch comes with an app which allows parents to see the location of their child, set up geofencing alerts – such as for safe and un-safe places – and more.
Stanislav found flaws in the hereO GPS platform that could allow for authorization bypass. Regarding the impact, he wrote:
By abusing this vulnerability, an attacker could add their account to any family's group, with minimal notification that anything has gone wrong. These notifications were also found to be able to get manipulated through clever social-engineering by creating the attacker's "real name" with messages such as, 'This is only a test, please ignore.'
Once this exploit has been carried out, the attacker would have access to every family member's location, location history, and be allowed to abuse other platform features as desired. Because the security issue applies to controlling who is allowed to be a family member, the rest of this functionality performs as intended and not its self any form of vulnerability.
The security issues were discovered in October and reported in November; the vendor patched the flaw on December 15.
Rapid7 has no indication that attackers were exploiting the vulnerabilities.
As more companies connect their products to the Internet, we are likely to continue seeing the unpleasant trend of tacking on security as an afterthought instead of baking it in.