back to article Smart toys spring dumb vulns. Again. This time: Cuddly bears, watches

Researchers with arguably too much time on their hands have discovered security blunders surrounding Fisher-Price Smart Toys and hereO GPS watches for children. Fortunately, the two sets of vulnerabilities, discovered by security researchers at Metasploit biz Rapid7, have been addressed and fixed by both affected vendors. …

  1. Doctor_Wibble
    Terminator

    I Always Do What Teddy Says

    I dare say there's other stories on the same theme, but this is the one I know.

    Toys like this are several levels more unwise than just plonking the kids down in front of the tellybox. More so than letting tablets be their teachers. But it's perfectly fine because we watched cartoons when we were kids and that never did us any harm because it's completely comparable, right...? There doesn't seem to be much to balance it all out any more.

    Just to drag the mini-rant back to relevance to the article - these things need to be really really trustworthy and right now none of them are even close.

    1. Anonymous Coward
      Devil

      Re: I Always Do What Teddy Says

      These shoddy practices will continue until the first "Chucky incident" occurs.

  2. Charles 9

    It's almost to the point that perhaps legislatures have to get into the act and put a cork in all this IoT stuff. This kinda feels like the days of the foot x-ray machine: people throwing stuff against the wall to see if they stuck, not realizing some of them are going THROUGH the wall. Perhaps once someone finds a way to use an IoT item used everyday to jump air gaps and potentially reveal scary state secrets (like espionage info or nuclear data), then they'll be forced to act in the name of sovereign security.

    1. Anonymous Coward
      Joke

      Never may that be so...

      My dear internet commenter.

      Your worry is dreadfully uncalled for. Why this new age of entrepreneurs making things of the internet is to bring in great markets and wealth. We would never rush anything out into the market before testing or that would be unsafe. And if we did, it would be totally the other parties fault and not ours. No, we can do nothing but sell more stuff.

      Oh, and while you're reading, would you like to buy one of our new Radium Blankets? It's the latest invention and perfectly safe, we assure you!

      http://www.sciencephoto.com/media/364732/view

  3. Mike 16

    Scary State Secrets

    (aside, how do I parse that: "(Scary State) Secrets" or "Scary (State Secrets)"?)

    Anyway, perhaps the sort of secrets that caused at least one agency of at least one Scary State to prohibit Furbies entering secure area.

    1. Charles 9

      Re: Scary State Secrets

      Put it this way. The kind of secrets that would either render them a "bad country" that others will immediately embargo or (worse) directly threaten their very existence.

    2. Stoneshop
      Headmaster

      Re: Scary State Secrets

      (aside, how do I parse that: "(Scary State) Secrets" or "Scary (State Secrets)"?)

      Yes.

  4. Bota

    Can't wait for the inevitable Pedo Bear headlines, in other news Tickle-Me Elmo seems far more nefarious to me now.

  5. Peter X

    "Johnny, what have I told you about not talking to toys?"

    Honestly, when you step back from it and look at it... it's sooo stupid putting internet connectivity in these things not least because local data-storage and raw CPU power aren't particularly expensive these days.

    It probably won't change, at least not whilst it's mere childrens privacy being violated. Once we have a high-ranking GCHQ/NSA operative's super-secrets stolen by their own childs toy bear*, *then* maybe they'll start to take it seriously!

    * (note to self... contact Charlie Brooker about a possible Black Books script entitled "Rupert-Gate: the tale of an entire government brought down by actions of a rogue soft-toy")

  6. Anonymous Coward
    Anonymous Coward

    Anybody who inputs his kid's actual date of birth in a wifi-enabled toy has a security hole of his own, in his head.

    Come to think of it, ditto for putting in your own actual DoB in any online service, unless it is government mandated, such as for banking or tax purposes. Just pick a reasonably close date, +/- a week and use that for all sites.

    Heck, on dating sites, many women are even more admirably cautious than that and pick dates 3-5 years past their actual DoB.

    Now, if I could only remember what fake date I used for Sony's Playstation Network I could log back into it ... :(

    1. Anonymous Coward
      Anonymous Coward

      Maybe, but if 'date of first registration' <> 25/12/20XX then it's a fair bet that you know the child's birthday, if not birth year. On the other hand as that is almost certainly publicly available via facebook and a thousand other sources, what does it actually matter?

      1. Anonymous Coward
        Anonymous Coward

        >almost certainly publicly available via facebook and a thousand other sources, what does it actually matter?

        Errrr, it might be a dumb idea (along with using mum's maiden name with all the geneological dbs out there), but dob is still a major identification question for lots of sensitive transactions.

        Until that bit of stupidity's fixed, I will have to put up with the horror of not having my actual birthday on FB (having mine as 1923 makes me drop out of many ad demographics) . Or on my son's teddy bear - registration date, if saved, is likely a less visible account attribute and you can always register the next day. Plus, as the 1000 other sources each tend to varying dobs, good luck finding my actual one.

        1. Charles 9

          "Plus, as the 1000 other sources each tend to varying dobs, good luck finding my actual one."

          They'll just go to the one source where they WILL know the true DOB: government websites. There's a lot of identity information that's open to the public for various legal reasons (voter registration checking and so on). I frankly think disguising a date of birth is an exercise in futility given there's already a known true source.

  7. Anonymous Coward
    Anonymous Coward

    Personal information

    I have said this before and being a typical reg reader, i will say it again...

    The concept of our personal information being a tangible legal property is starting to become more important, companies don't really care about securing it, people themselves almost less so, but its value is recognised by the people making money from it now!

    I think there was even a reg story about this recently....

    http://www.theregister.co.uk/2016/02/02/uk_raises_concern_about_eu_consumer_law_plans_on_trade_of_data_for_digital_content/

    1. John Brown (no body) Silver badge
      Childcatcher

      Re: Personal information

      "companies don't really care about securing it, people themselves almost less so,"

      As is evidenced by the last big toy hack. Comments from the public in the press and on TV news wasn't outrage about the hack, it was outrage that the toys didn't fully work any more or that little johnny couldn't register their account on Xmas morning because the servers were still down while they attempted to sort out the security.

      Many people not only don't understand or care, they have incredibly short memories. "Oh look, there's one of those x toys. Wasn't there something on the news about them a while ago? Yeah, they must be good if the news talked about them,"

      There's no such thing as bad publicity, as someone once said.

      1. Trigonoceps occipitalis

        Re: Personal information

        " ... little johnny couldn't register their account on Xmas morning ... "

        The ignoratti at work. It used to be toys that needed batteries that couldn't be used on Christmas day. I know, and you know, that to provide the full gift experience for your young friend the toy* will need to be registered and this is best done beforehand, not while the rest of the world is trying to access the web (new tablets, mobiles, etc given as gifts). It will also mean that you can control the information revealed.

        * Toy = surveillance device and I am glad that I no longer have responsibility for keeping specific children safe online. Regarded as the most technically competent member by my family I am never the less a dinosaur who should wear a tin foil hat.

  8. paulc

    It's because they're too worried

    about not making it into the market in time... and keeping the budget as low as possible...

    They'll only start worrying about security if it is mandated from above or else they get a massive comeback from lawsuits...

    1. John Brown (no body) Silver badge
      Unhappy

      Re: It's because they're too worried

      "and keeping the budget as low as possible."

      Sadly, it almost certainly partly because someone at the company wonders why they should spend money pen testing a 15 quid toy when some nerd with too much time on their hands will do it for free. Many of them will even send you a bug report, possibly including the fix, and then give you time to fix it before going public, thus turning it into a non-story by the time the news breaks. Win-win all around as far as the accountants are concerned.

  9. Mage Silver badge

    Toys

    German style wooden railways

    Blocks

    Micromachines

    Meccanno

    Lego

    Playdoh

    Plasticine

    Windup toys

    pull back toys.

    Dumb cuddlies

    Articulated play figures / dolls

    Nothing that uses charger, batteries, solar panels or electronics, except Electronics breadboard kits.

    No so called "educational learning electronics" / "toy laptops etc" / vtech.

    Toys with electronics or batteries have mostly been unsafe or badly made. Many are a fire risk if you put NiMH batteries in!

    1. Anonymous Coward
      Anonymous Coward

      Re: Toys

      Ffs.

      Wooden railways and plastic dolls are a fire risk if not used properly.

      It's not the 19th century, kids don't want your crap toys.

  10. Chika
    Big Brother

    Rutabaga

    It's the revenge of Teddy Ruxspin, I tells ya!

  11. FraK
    Trollface

    Isn't this just . . .

    . . . DevOps in toy form?

  12. Robert Helpmann??
    Childcatcher

    So many flaws, so little time

    Researchers with arguably too much time on their hands have discovered security blunders...

    Nuts to that! There are so many security holes in so many products these days, it's hard to argue that they have too much time. The individuals involved could work for several lifetimes and still only scratch the surface. Because of the pervasive and invasive (even if self inflicted) set of network connected devices in consumers' lives these days, the chances of there being a flaw in at least one of them is simply more likely than at any other point before. It does not seem to matter which device is compromised as they all can open a person up to unwanted attention or actions.

  13. AC Wilson

    Not origial, but...

    I repeat, you can't spell idiot without Iot.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like