Mattel's Fisher-Price announced last September it had teamed with the Smart Toy tech company to design a stuffed bear that can learn the name of a three-year-old child's name. The Internet of Things (IoT) device is connected to smartphones via WiFi. However, security company researchers have discovered that the mobile app linked to the Fisher-Price toy has security vulnerabilities that could allow a hacker to steal personal data including a child's name, gender, and birthdate.
Boston-based Rapid7 discovered the security issue, according to The Guardian. Fisher-Price encourages parents to use the mobile app so they can interact with their children, and the toymaker said in a statement that it has fixed the technical glitch of its Smart Toy Bear.
It shared there is no proof that any unauthorized people stole personal data of their customers, and is the reason why the company takes quick action in such situations. The Fisher-Price website also notes that Smart Toy does not transmit any personal data.
The security flaw found by Rapid7 might not be a big one. However, it shows how dangerous it can be when consumer products become connected.
Rapid7 and Mattel have both been involved with security flaws of other devices. Last year the security company found vulnerabilities in a baby monitor, while Mattel announced recently that its smart Barbie might have bugs.
Rapid7 pointed out that more experienced Internet companies such as Microsoft and Google would not have missed such basic software bugs. That is due to the security issues being related to an app that is connected to the system's servers.
Tod Beardsley is the security research manager for Rapid7. The expert pointed out that parents often use their child's name for a smart toy's password. He also explained that hackers could use stolen data to launch a phishing attack that would trick the victim family into giving them more personal information.
Beardsley told eWEEK that the Smart Toy has an integrated Android 4.4 operating system. Physical access to the teddy bear could gain system access via an Android Debug Bridge (ADB) shell, but remote security vulnerabilities are a more serious problem, according to eWEEK.