This Fisher-Price Smart Toy Bear Had Data-Leak Vulnerability
Call it a teddy bug.
The Mattel (MAT) Fisher-Price smart toy bear is one of two playthings that a security researcher recently found vulnerable to leaking customer and kids’ data. The other is the hereO GPS watch, a device designed to track the location of family members that also allows them to message one another.
Mark Stanislav, manager of global services at the Boston-based cybersecurity firm Rapid7 (RPD), discovered some of the coding flaws after receiving an Internet-connected teddy bear at a “diaper party” last fall (ostensibly a gift intended for his then unborn daughter). He tore the toy apart a day later to look for computer bugs, he told Fortune.
Get Data Sheet, Fortune’s technology newsletter.
Stanislav discovered that the programmers had designed the bear’s backend to use unsecured application programming interfaces (APIs)—portions of code that allow pieces of software to interact—enabling an attacker to learn profile information about registered children, such as names, dates of birth, genders, and spoken languages. Rapid7 officially disclosed these findings on Dec. 8, and Mattel addressed the issues by Jan. 19.
Prior to prying open that WiFi-stuffed animal, Stanislav had analyzed another gadget. He found that a buggy API in a watch created by the startup hereO allowed him to access family members’ location, GPS logs, and even to mess with other features, like possibly spying on communications. Rapid7 alerted the company in early Nov. and hereO fixed the bugs in mid-Dec.
Stanislav, who previously investigated how easily certain baby monitors could be hacked, undertook the research in his spare time. He is a contributor to the cybersecurity-oriented Online Trust Alliance, a Seattle-based non-profit organization, and a co-founder of a computer security initiative called builditsecure.ly that aims to promote computer bug reporting. One of his hobbies is to hack Internet of things devices.
Stanislav, who recently became a father, said he focused on toys as a natural extension of his past research. He also said he hoped to drive home the point about the dangers of Internet-connected devices while improving their security. “I really find it fascinating how much connectivity we’re putting onto people so young, and the security and privacy and safety aspects that go along with that,” he said.
“I’m sure somewhere deep down the fatherhood thing factored in as well,” he added.
These two toy vulnerabilities are the latest in a spate of reports about kids’ gadgets that have been prone to hacking, including Mattel’s Hello Barbie Doll and Chinese toymaker VTech’s (VTKLF) educational children’s products.
For more on techie toys, watch:
Tod Beardsley, the security research manager at Rapid7 who coordinated the vulnerability disclosures, described the flaws as “pretty stock web API vulnerabilities” that more tech-savvy companies probably would have caught before going to market. He did praise the companies for taking quick action to resolve the issues, however.
“Even if they did ship vulnerabilities initially with these products, they did fix them and take responsibility for them,” he said.
Kenya Friend-Daniel, a spokesperson for Mattel and Fisher-Price, sent Fortune the following statement via email. “We recently learned of a security vulnerability with our Fisher-Price WiFi-connected Smart Toy Bear. We have remediated the situation and have no reason to believe that customer information was accessed by any unauthorized person.”
HereO did not immediately reply to Fortune’s request for comment, kicking back an auto-generated email that acknowledged the message’s receipt and that there would be delays due to “a significant increase in the number of requests.”
Update (Feb. 3):
HereO has supplied Fortune with the following statement. “The vulnerability was patched within 4 hours of identification, we had yet to commence shipping of our GPS watches at the time, and most importantly, we can confirm that none of our users’ data or security was compromised,” said Eli Shemesh, the company’s chief technology officer.