Grrrr! Teddy Bears Are Being Hacked

Your computer can get hacked. Your phone can too. And yes, you’re bank account. But did you know that you’re child’s beloved stuffed teddy bear could get hacked as well?

Okay, it’s not just any Teddy. Teddy Ruxpin isn’t going to awaken and strangle you in your sleep. Nor is Winnie the Pooh going to suddenly take your debit card and rack up some charges at the nearest honey store. No, the case we’re talking about involved an internet-connected line of how to spy on cell phone without installing software stuffed animals from Fisher-Price. It was recently revealed that the company’s line of Smart Toys—which are stuffed animals combined with mobile applications—became vulnerable to hackers due to a number of weak application programming interfaces (APIs). These flaws led the hackers to “open doors” where they could spy on families, steal important data, and even command the toy to do things.

According to researchers from the security firm known as Rabid7, the APIs—which are slices of code that let services call in and take advantage of operations delivered from a server—“did not properly verify who sent messages.”

While the vulnerabilities have been fixed, it leaves many people—both those who purchased these products and those who fear the growing world of tech and everyday items—feeling a little nervous. Any hack attack opens an individual to theft and identity fraud. A hacker could steal a person’s username or email address and access more personal information by having Fisher-Price’s server send them details about their accounts—details such as their child’s name, gender, birthdate and what toys they’ve played with. That may seem harmless enough, but they could then create accounts based on that information and steal that child’s identity. The information would also be valuable to perverts and child abductors.

And other more disturbing things could come from it.“They could effectively force the toy to perform actions that the child user didn’t intend, interfering with normal operation of the device,” stated Rapid7 in a blog post.

Fisher-Price fixed their problem after being contacted by Mark Stanislav, a researcher at Rapid7 on November 23, 2015.Stanislav was also responsible for discovering API issues in a line of smartwatches by hereO, which allowed parents to track their children’s movements over GPS. This vulnerability let hackers break into the system, create a bogus account, trick the family and then take over the account. From there they could track any family member on the system. That issue was fixed on December 15, prompting hereO CTO Eli Shemesh to say, “We not only appreciate Rapid7′s feedback, but also welcome and embrace the valuable support of the global IoT community in our relentless efforts to maintain a bar-none, zero-tolerance environment for the safety and security of our users…. Addressing the issue more specifically, the flagged loophole within our application was closed within 4 hours of identification. More importantly, as hereO at the time had yet to commercialize its GPS watches, at no point was any child at risk of any malicious activity.”

These however, were not the only security breaches to happen in the world. Hong Kong toymaker VTech had a similar hack that saw the personal data of 6.4 million kids and 4.8 million adults leak out. Similar “break ins” occurred with Barbie and Call Me Kayla dolls, as well as with Little League Baseball.

It seems like once upon a time, nothing could be creepier than a beloved toy like Chucky from Child’s Play or the clown from Poltergeist coming to life. But, as it turns out, there is.