Another Day, Another Smart Toy Hack: This Time, It’s Fisher-Price

Toys offer a unique insight into a time, place and culture that has come and gone. While the Romans had small wooden horses and the Victorians had porcelain dolls, today’s children are exposed to a danger unique to their generation: Internet-connected toys that enable cybercrime.

Exhibit A: the Fisher-Price Smart Toy Bear. On the surface, this teddy bear is remarkable for its ability to remember a child’s name, birthday, gender and more. So, why would it need to remember these things? According to the company, the bear incorporates this information into learning activities parents download from the Internet. While customizing a learning tool is a great idea, it also means the bear is building a profile of its owner and the owner’s child. This can be problematic.

Frequent readers can probably guess what happens next: cybercriminals, looking for an easy score, targeted the toy’s website in an effort to steal personal information and sell it on the black market.

Thankfully, their plan fell through. A group of security researchers discovered several security flaws in how the smart bear communicated with Fisher-Price’s platform. According to this group, the toys weren’t “appropriately verifying the ‘sender’ of messages.” This, theoretically, would allow cybercriminals to retrieve customer profiles and children’s details, monitor how often a child interacts with the toy and how often a parent uses the toy’s associated mobile app.

It turns out that cybercriminals can do quite a bit with this information. This sort of data could be useful in launching spear phishing attacks, where a victim is tricked into providing sensitive information to hackers posing as a trusted entity. Other uses for this sort of data range from cracking passwords (never use a relative’s name for a password), to harassing a child or parent through a connected application, to identity theft.

Luckily, the ideal scenario played out: cybersecurity professionals discovered a product’s vulnerabilities, notified the affected company, detailed how the vulnerabilities worked, and the issue was fixed. Both Fisher-Price and the security researchers should be applauded for such a quick, smooth cybersecurity operation.

Unfortunately, we’re likely going to see more of these sorts of security vulnerabilities in the future. In early December for instance, VTech, a manufacturer specializing in Internet-connected toys, suffered a massive breach. You can expect more of these sorts of stories as the Internet of Things continues to mature.

So, what can you do right now to protect yourself, and your loved ones? Here are a few tips to keep in mind:

  • Use Internet-connected toys safely. Children will always want the latest interactive toy on the shelf. These toys are increasingly featuring Internet-connectivity. It is critical to ensure these devices are being used safely, by changing default passwords, and keeping software up to date.
  • Keep an eye for suspicious activity. If you do opt to purchase an Internet-connected toy, be sure to keep a keen eye on profiles, activities and changes. Often times, cybercriminals will change a gadget’s settings and account information when given the chance. Change your password immediately — before cybercriminals lock you out of your own account — and notify the toy company if you notice strange or unauthorized changes on your devices.
  • Use strong and unique passwords. If there’s one thing to harp on, it’s this: use strong, unique passwords for each site you visit, and for each device you use—and that includes connected toys. It sounds like a lot to manage. It doesn’t have to be. Password management solutions, like True Key™ , are simplifying the way you securely log into online accounts.



FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.


More from Internet Security

Back to top