New research from cybersecurity firm Rapid7, Inc. has discovered that two popular devices aimed at children have shipped with security vulnerabilities that would allow the devices to be accessed by nefarious third parties.

The research found that both the Fischer-Price Smart Toy and hereO GPS had an issue with the platform’s web service (API) authorization.

In the Fischer-Price toy, a WiFi enabled stuffed bear billed by the company as an “interactive learning friend that talks, listens, and remembers what your child says and even responds when spoken to,” API calls were not appropriately verifying the “sender” of messages, allowing an attacker to send requests that shouldn’t be authorized under ideal operating conditions.

A number of APIs were found to be at risk, which would enable an attacker to potentially do a number of things, including finding a child’s name, birthday, and more.

With the hereO GPS, a watched designed for kids that also comes (as the name may suggest) with a GPS tracking feature that is supported by both WiFi and SIM card, an attacker could abuse the authorization flaw to add their account to any family group with little notification that anything has gone wrong.

With this access an attacker would have access to every family’s location, location history, and be allowed to abuse other platform features as desired.

“The ability for an unauthorized person to gain even basic details about a child (e.g.. their name, date of birth, gender, spoken language) is something most parents would be concerned about,” Rapid7’s Mark Stanislav said in a blog post. “While in the particular, names and birthdays are nominally non-secret pieces of data, these could be combined later with a more complete profile of the child in order to facilitate any number of social engineering or other malicious campaigns against either the child or the child’s caregivers.”

Child’s play

The good news is that the vulnerabilities have been addressed, with the company telling SiliconANGLE via email that “it is important to note that after the details of these vulnerabilities were disclosed to Fischer-Price and hereO, [and] both vendors worked to resolve the reported issues.”

That said it does highlight once again the growing threats smart toys now present, be it from the toys themselves, or as with the case of VTech Holdings Ltd in 2015, when data gathered from such devices is stored in a central location with inadequate security.

Hacking isn’t necessarily child’s play, but when toy companies don’t implement security properly it certainly starts to look that way.

Image credit: Fisher Price.