The Fisher-Price Smart Toy does not perform proper authentication of some API commands, and it may also use a vulnerable version of Android.
The Fisher-Price Smart Toy bear is a new WiFi-connected Internet of Things (IoT) toy. The device utilizes network connectivity to provide more interactivity with children.
CWE-287: Improper Authentication - CVE-2015-8269
A remote attacker may be able to view or edit private information about the child and/or parent that registers the toy, and may take over ownership of the toy.
Fisher-Price has made changes to the platform to mitigate this issue. Concerned users should contact Mattel, Inc. / Fisher-Price for more information.
Thanks to Mark Stanislav of Rapid7, Inc., for reporting these issues to us.
This document was written by Garret Wassermann.
|Date First Published:||2016-02-02|
|Date Last Updated:||2016-02-02 16:00 UTC|