In the age of the Internet of Things, teddy bears and Barbie dolls aren't just silent inanimate dummies anymore, but can actually listen and talk to children. But these gizmos are sometimes too chatty, and can expose the personal information of their little owners.
The research highlights the dangers of so-called "smart" toys, just a few weeks after privacy and security researchers found multiple flaws that could turn the internet-connected Hello Barbie doll into a surveillance device.
Fisher Price's internet-connected teddy bear has a tiny camera on its nose. The camera reads a set of smart cards that will trigger the bear to tell jokes, teach kids curious facts, and other specific learning and playing activities. The bear is also able to respond to the children's questions, according to Fisher Price.
The company said in a statement that it has "remediated the situation and have no reason to believe that customer information was accessed by any unauthorized person."
"Mattel and Fisher-Price take the safety of our consumers and their personal data very seriously, which is why we act quickly to resolve potential vulnerabilities like this," the statement concluded.
The toy also comes with an app for parents, which allows them to control it remotely. A researcher at security firm Rapid7 found that a flaw in the app's platform web service or API allowed hackers to easily find out the names, birthdates and gender of the children using the toy. (The bug has now been fixed, according to Rapid7.)
Tod Beardsley, research manager at Rapid7, said that while the app didn't reveal home addresses or credit card information, it still would have opened the door to scams or phishing attempts.
"It makes it a lot easier for me to present myself as somebody who ought to know the kid's name, or the kid's birthday," Beardsley told Motherboard.
The Internet of Things (IoT) is not just smart fridges or thermostats. "Smart" toys are becoming a $2.8 billion business, according to a recent study. This report and other recent ones, as well as the breach on toymaker VTech, highlight that these smart devices, which are becoming increasingly popular, pose serious privacy and security risks.
"It's like this crashing tsunami of IoT, and every one of them has bugs, I guarantee it."
"It's like this crashing tsunami of IoT, and every one of them has bugs, I guarantee it," Beardsley told me in a phone interview. "You can't expect people to produce bug-free code all the time every time. People are going to ship bugs, that's just the way of the world."
The problem, according to him, is that IoT developers often don't have the "break it mindset" of hackers or security researchers, and sometimes don't even realize how their products and apps could be tinkered with and exploited. On the bright side, less than two months after Rapid7 reported the flaw, Fisher Price fixed the bug. HereO, a family GPS tracker also studied by Rapid7, also recently fixed a similar bug.
These positive responses from the manufacturers give Beardsley some hope for the future.
"We'll get there. We're in a formative period right now," he said, before pausing to wonder what can parents do. "But in the meantime, I guess, just be careful?"