Researchers at Rapid7 discovered several vulnerabilities in the Fisher Price Smart Toy line of teddy bears.  The vulnerabilities could have allowed an unauthorized person to gain access to personal information about a child, including their name, date of birth, gender and spoken language. Furthermore, one of the vulnerabilities could have allowed a remote user to hijack the toy and manipulate its actions. Luckily they reported the vulnerabilities to Fisher Price and the company has remediated the vulnerable components in question. The report still raises valid concerns about internet-connected toys. As kids are already a vulnerable segment of society, such threats to their personal information are more significant.

The Fisher Price Smart Toy is a line of digital stuffed animals, including teddy and panda bears as well as monkeys. The toys are aimed at children ranging in age from 3 to 8 years old. According to the toy manufacturer’s website, the Smart Toy teddy bears are “An interactive learning friend that talks, listens, and “remembers” what your child says and even responds when spoken to.” The toys connect to the internet through a mobile app intended for parents to download updates and additional content for the device. The internet-enabled functions also “help Smart Toy learn your child’s name.” 

According to Rapid 7’s researchers, “Through analysis of the Fisher-Price Smart Toy at hardware, software, and network levels, it was determined that many of the platform's web service (API) calls were not appropriately verifying the "sender" of messages, allowing for a would-be attacker to send requests that shouldn't be authorized under ideal operating conditions.” The resulting vulnerability would accommodate the aforementioned hijacking of the toy, including the ability to manipulate its actions and access children’s profiles which contain their “name, birthdate, gender, language, and which toys they have played with.” Last year’s high profile hack of children’s toy maker VTech brought similar issues to the public eye: almost 5 million customer records were affected by the breach of the Hong Kong-based company. As a result, adult users’ email addresses, home addresses, security questions and answers were released to the public as well as children’s names, dates of birth, and passwords.