This Teddy Bear Could Have Exposed Your Child’s Identity

Are smart toys worth the risk? That’s a question parents are asking themselves these days as they weigh the usefulness and delight that comes from cloud-connected toys, with the potential for them to be turned into spying devices, as was the claim against the Wi-Fi-enabled “Hello Barbie,” or the possibility of massive leaks involving their children’s personal information, as was the case with the VTech data breach.

Today, that question is back in the spotlight, as security researchers revealed a vulnerability in Fisher-Price’s “Smart Toys” which could have exposed children’s profiles to hackers, including names, birthdates, gender, language, and more, as well as allowing for hijacking of children’s accounts to change their user profiles or other data.


Fisher-Price’s “Smart Toys” are a line of digital stuffed animals, like teddy bears, that are connected to the Internet in order to offer personalized learning activities. Aimed at kids aged 3 to 8, the toys actually adapt to children to figure out their favorite activities. They also use a combination of image and voice recognition to identify the child’s voice and to read “smart cards,” which kick off the various games and adventures.

According to a report released today by security researchers at Rapid7, these Smart Toys could have been compromised by hackers who wanted to take advantage of weaknesses in the underlying software. Specifically, the problem was that the platform’s web service (API) calls were not appropriately verifying the sender of messages, meaning an attacker could have sent requests that should not otherwise have been authorized.

The affected APIs included those that could have listed a customer’s toy details (toy ID, name, type, child profile); those that would have allowed them to retrieve the child’s profile data like their name, birthdate, gender, language and which toys they played with; and more.

Hackers could have also have done things like alter the customer’s account; create, edit or delete children’s profiles; see if parents were using the toy’s accompanying mobile apps; and read other miscellaneous data, like what purchases the customer made, game scores and other items.


Some of those issues would be annoyances, but the more disturbing of the bunch is that hackers could have retrieved personal details about a child – like their name and date of birth. This is something that “most parents would be concerned about,” Rapid7’s Mark Stanislav said in a post detailing the security issues.

“While in the particular, names and birthdays are nominally non-secret pieces of data, these could be combined later with a more complete profile of the child in order to facilitate any number of social engineering or other malicious campaigns against either the child or the child’s caregivers,” he explained.

The vulnerability was disclosed through proper procedures, was addressed by Fisher-Price within two months after Rapid7’s initial contact, and the company reports that it had no indication that any unauthorized individuals accessed customer information using this method.

Toy Hacks And Acceptable Risk

It’s worth noting that hacking the toy alone wouldn’t have been enough to put the child at risk.

Which of course, begs the question: where does a parent draw the line with regard to acceptable risk when it comes to smart toy purchases?

Even if parents back away from connected toys altogether, in favor of protecting their children from any possible potential risk, they may still be filling their homes with other connected devices that leave their family vulnerable. People today buy things like Internet-enabled thermostats, smoke alarms, baby monitors, security cameras, speakers like Amazon Echo, and other “smart home” equipment. And any device that goes online opens you up to the possibility of an attack.

But in the case of the teddy bear hack, age-old parenting techniques – like teaching about “stranger danger” or using safe words – could have mitigated the risk posed by an attacker who learned a child’s identity and then tried to use that in some harmful way, like a kidnapping.

That does not in any way make it acceptable that these services are not being properly locked down, but it’s worth keeping a level head about the real-world dangers they pose.


And some hacked devices are riskier than others. For instance, more concerning than the data-leaking stuffed animal was Rapid7’s other disclosure today: a vulnerability in family locator/smart watch hereO’s GPS platform could have allowed attackers to access to every family member’s location, location history, and “abuse other platform features as desired.”

This, too, was patched by the vendor, but clearly an attacker who gained this data could be more of a direct threat.

That being said, most criminals choose the path of least resistance, and many look for crimes of opportunity.

We’ve been warned for years that social media updates posted while on vacation would draw in burglars. Actual examples, however, have been few and far between. After all, it’s easier to just stake out a house, than scour tweets or Facebook. Similarly, most criminals looking to kidnap a child are not likely spending hours hacking your gadgets or toys, either. And worrying about toy hacks can deflect from the reality that abductions by strangers are rare; in three-fourth’s of cases, family members or acquaintances are to blame.

Sometimes the real danger is not the lurking stranger on the other end of the Internet, but the one you’ve already allowed in your home and your life.