Security firm Rapid7 has uncovered vulnerabilities in a number of childrens' products, although the company claims they have now been patched.
Rapid7 discovered a vulnerability in the Fisher Price Smart Toy, a range of cuddly soft bears that claim to educate and engage children. The toy's "web service (API) calls were not appropriately verifying the sender" of messages," the report revealed, meaning an attacker could send requests to the device without authorisation.
Specifically, it was possible to obtain the child's name, birthdate, gender, language, and which toys they have played with, create, edit, or delete children's profiles on an account, change the toys related to an account, find out whether a parent is using their associated mobile app and look at the purchases made by a customer, scores for games played on the toy and which game packs had been downloaded.
"Most clearly, the ability for an unauthorized person to gain even basic details about a child (e.g. their name, date of birth, gender, spoken language) is something most parents would be concerned about," Mark Stanislav, manager, global services at Rapid7, said in his blog.
"While in the particular, names and birthdays are nominally non-secret pieces of data, these could be combined later with a more complete profile of the child in order to facilitate any number of social engineering or other malicious campaigns against either the child or the child's caregivers."
The HereO GPS watch is also open to attack, Rapid7 explained.
"By abusing this vulnerability, an attacker could add their account to any family's group, with minimal notification that anything has gone wrong. These notifications were also found to be able to get manipulated through clever social-engineering by creating the attacker's 'real name' with messages such as, 'This is only a test, please ignore.'" Stanislav addesd.
Once the exploit has been attacked, information including every family member's location, or location history could be uncovered and can be used to abuse the platform.
Both Fisher Price and HereO said they have fixed the vulnerabilities uncovered by Rapid7. However, it serves as a stark warning to both parents and manufacturers.
"The amount of personal data that consumers willingly provide to vendors can put their personal privacy and security at risk when not properly protected and controlled," Stanislav said.
"Access to individuals' personally identifiable information, Internet-connected devices within their home, and the potential for anonymous interaction with children are all concerns that need to be addressed during the growth of the Internet of Things. As vendors continue to innovate in the market of connected toys, additional focus must be put on securing the users' privacy and safety."
This is the latest in a long string of vulnerabilities found in childrens' toys. In the last few months, VTech's educational platform was hacked, as was Hello Barbie, which could be used to spy on children.
Security experts have now warned parents to be aware of the risk posed by connected toys.
