Creepy Bear Toy Creepier Than You Could Even Imagine

Illustration for article titled Creepy Bear Toy Creepier Than You Could Even Imagine

A new internet-connected stuffed bear capable of learning a kid’s name shipped with some scary security flaws. Researchers found holes that could let creeps steal children’s personal info.


Mattel and the researchers say the flaws on its Fisher-Price “Smart Toy” were fixed before anything bad happened, but this incident underlines how vulnerable internet-connected toys are to data breaches. Boston-based security firm Rapid7 pointed out that inexperience can leave companies vulnerable to security holes, according to The Guardian:

The flaws in the Fisher-Price case had to do with how the app, meant for parents, communicates with servers running the system. They’re the kind of flaws a more experienced internet company probably wouldn’t have missed, Rapid7 said.

“This is an easy mistake,” said Tod Beardsley, Rapid7’s security research manager. “You wouldn’t find these bugs today from places like Google, Microsoft.”

Nearly 6.4 million children were affected by a horrific data breach at children’s connected-toy company Vtech. This time, Rapid7 helped Mattel fix its security flaw before anybody exploited it, but the presence of flaws that could put children in danger in toys meant to keep them comforted is, well, not very comforting. But as The Guardian points, hackers are just dying to find a flaw in Mattel’s controversial Hello Barbie toy. So this doesn’t bode well for Mattel’s cybersecurity.

Also the bear looks like it has seen some shit.

[The Guardian]


OK, so I’m on board with the general consensus that a internet-connected toddler’s toy is a bad idea. I’m just curious, what they mean by “the flaws were fixed before anything bad happened”

I am genuinely curious what the worst-case scenario is for a toy to be hacked.

I can imagine only a few things are possible, here (brought upon by even further bad design ideas).
-Toy happens to be a camera and the pictures can be obtained by anyone (which actually happened with VTECH).
-Toy has a built-webcam that can be remotely activated and viewed.
-Toy has 2-way communication that can allow a toddler to talk to someone on the internet.
-Toy can talk and subliminally programs child to kill the president.
-Toy links with PC or Tablet and sets browser homepage to LemonParty.
-Toy has access to the toddler’s bank accounts and tax return.
-Toy can physically move around and can become a hacker’s personal theft drone.