Security flaws have been discovered in smart toys and kids' watches

 Rapid7 researchers have unearthed serious flaws in two Internet of Things devices:

  • The Fisher-Price Smart Toy, a "stuffed animal" type of toy that can interact with children and can be monitored via a mobile app and WiFi connectivity, and
  • The HereO, a smart GPS toy watch that allows parents to track their children's physical location.

In the first instance, API calls from the toy were not appropriately verified, so an attacker could have sent unauthorized requests and extract information such as customer details, children's profiles, and more.

"Most clearly, the ability for an unauthorized person to gain even basic details about a child (e.g. their name, date of birth, gender, spoken language) is something most parents would be concerned about.

While names and birthdays are nominally non-secret pieces of data, these could be combined later with a more complete profile of the child in order to facilitate social engineering or other malicious campaigns against either the child or the child's caregivers."

In the second instance, the flaw allowed attackers to gain access to the family's group by adding an account to it, which would allow them to access the family member's location, location history, etc.

Rapid7 has been working with the companies to correct the problems.

This further highlights nascence of the Internet of Things with regard to information security. While many clever & useful ideas are constantly being innovated for market segments that may have never even existed before, this agility into consumers's hands must be weighed against the potential risks of the technology's use,

Consumer brands must pay greater attention to application security when building smart devices. When a toy becomes connected to the Internet, a child is exposed to a potentially hostile environment. Regulations have not yet caught-up with the need for good application security.

Excerpt from Help Net Security, authored by Zeijka Zora

No comments: