Researchers Found a Security Hole in This Smart Teddy Bear

By
Image

“Smart toys” equipped with cameras and microphones can do things that the toys of our youth never could — like letting kids record videos and look up the answers to their questions — but they also come with a new set of worries about privacy and security. Last year, a Barbie doll with speech-recognition capabilities sparked concerns that recordings of children talking to their toys could wind up in the wrong hands. This month, it’s a cute teddy bear with a camera in its nose.

Fisher Price’s Smart Toy Bear uses its camera to scan “smart cards” that let it play games and tell jokes with kids, and it also comes with a remote-control app for parents. They can pick stories and games for the bear to play, or have it let the kids know when it’s time to brush their teeth, take a break, or go to bed.

It seems like a pretty cool toy, actually. But because everything is terrible, our kids’ toys need better internet security than they’re getting. Vice’s Motherboard blog reports that there was a security flaw in the parental-control app that made it possible to find the name, birth date, and gender of any kid using the toy.

Security firm Rapid7, which found the bug, told Vice that although information like addresses and credit-card numbers wasn’t exposed, the names and birth dates would make it “a lot easier for me to present myself as somebody who ought to know the kid’s name, or the kid’s birthday.”

The bug has been fixed now, but it highlights a challenge that gets exponentially more difficult as all of the stuff in our lives becomes networked. We’re used to worrying about securing our phones and computers, but companies are giving us hackable, internet-connected refrigerators and toy bears faster than security measures and best practices are catching up.

Wired published a report on our growing, very exploitable “Internet of Things” in December, focusing in part on the companies that are working to secure it.

Cyber Barbie is now part of the kill chain,” one of the researchers told them.