Security Issues with Connected Toys

Security Issues with Connected Toys

1611

You may have seen news that Fisher Price has reported that it had a flaw in one of its smart toys that would allow the children’s data to be stolen.

The problem has now been fixed but the flaws would have allowed criminals to steal names, birthdate and gender allow with other data. No data seems to have been stolen as Fisher Price reacted in time. Security experts from Veracode and Rapid7 have the following comments on it.

Mark Stanislav, Manager, Global Services at Rapid7:

“The amount of personal data that consumers willingly provide to vendors can put their personal privacy and security at risk when not properly protected and controlled. Access to individuals’ personally identifiable information, Internet-connected devices within their home, and the potential for anonymous interaction with children are all concerns that need to be addressed during the growth of the Internet of Things. As vendors continue to innovate in the market of connected toys, additional focus must be put on securing the users’ privacy and safety.

“The good news here is that both Fisher-Price and HereO, in coordination with CERT, have acknowledged and fixed the identified flaws in their products. It’s very encouraging to see these companies taking security seriously and fixing quickly. We’ve seen a significant number of IoT toy vulnerabilities disclosed over the past six months, and we expect this trend will continue as new toys hit the market. I can’t stress enough how critical a time it is for manufacturers of connected toys – and IoT devices in general – to think about building security in at the development phase. Translation: All is not lost, but the time to act is now.”

Paul Farrington, Senior Solution Architect at Veracode:

It’s great to see that Fisher Price has reacted so quickly to fix the security vulnerability found in its new Smart Toy. Just last year, the Vtech attack demonstrated how vulnerabilities found in connected toys not only pose a risk to children’s privacy, but also the information security of their parents who may use their details to buy add-ons for that toy or for related services.

This case once again highlights how consumer companies must pay greater attention to application security when building smart devices. Toy manufacturers have been subject to quality standards for decades. These help keep our children safe. When a toy becomes connected to the Internet, a child is exposed to a potentially hostile environment. Regulations have not yet caught-up with the need for good application security. Code security scanning needs to be become a ‘final check’ in all toys that connect to the Web.