R7-2015-27 and R7-2015-24: Fisher-Price Smart Toy® & hereO GPS Platform Vulnerabilities (FIXED)

Through our recent publication of numerous security issues of Internet-connected baby monitors, we were able to comprehensively raise awareness of the real-world risks facing those devices. Further, we were able to work with a number of vendors to get key security problems resolved, resulting in major increases of security within that particular market space. Today, Rapid7 is continuing this effort in applying security research to the Internet of Things (IoT) with the release of information on two new security research projects that have also improved the safety and privacy of families.

With this most recent research, we have once again been able to work with vendors to resolve serious security issues impacting their platforms and hope that vendors considering related products are able to take note of these findings so that the overall market can improve beyond just these particular instances. We also hope that consumers are able to use these issues as examples of the potential risks of leveraging IoT products within their own family. As usual, relevant vendors were notified and CERT proved instrumental in connecting us with the vendors in question, per our usual disclosure policy.

Fisher-Price Smart Toy®

The Fisher-Price Smart Toy® is an innovative line of digital “stuffed animals” that provide both educational and entertainment options for children ranging in ages from 3-8 years old. While the device is able to function without Internet-connected capabilities, its functionality is enhanced over Wi-Fi through a companion mobile application for parents and updates to device activities. Plus, let’s face it, a “smart” toy doesn’t really get very smart without some real-time Internet connectivity!

The issues for the Fisher-Price Smart Toy® were disclosed to CERT under vulnerability note VU#745448.

Vulnerability R7-2015-27: Improper Authentication Handling (CVE-2015-8269)

Through analysis of the Fisher-Price Smart Toy® at hardware, software, and network levels, it was determined that many of the platform’s web service (API) calls were not appropriately verifying the “sender” of messages, allowing for a would-be attacker to send requests that shouldn’t be authorized under ideal operating conditions. The following is a list of APIs that were found at risk to this lack of proper authorization and associated impacts due to that vulnerability.

• Find all customers (sequential integer), which provides a list of those customers’ toy details (toy ID, toy name, toy type, and associated child profile)
• Find all children’s profiles, which provides their name, birthdate, gender, language, and which toys they have played with
• Create, edit, or delete children’s profiles on any customer’s account, which will be displayed within a parent’s mobile application
• Alter what toys a customer’s account has (e.g. delete toys, add someone else’s toy to a different account), effectively allowing an attacker to ‘hijack’ the device’s built-in functionality
• Find the status of whether a parent is actively using their associated mobile application or if a child is interacting with their toy
• Read access to miscellaneous data, such as what game packs are attached to a profile, what purchases were made by a customer, and scores for games

Impact

Most clearly, the ability for an unauthorized person to gain even basic details about a child (e.g. their name, date of birth, gender, spoken language) is something most parents would be concerned about. While in the particular, names and birthdays are nominally non-secret pieces of data, these could be combined later with a more complete profile of the child in order to facilitate any number of social engineering or other malicious campaigns against either the child or the child’s caregivers.

Additionally, because a remote user could hijack the device’s functionality and manipulate account data, they could effectively force the toy to perform actions that the child user didn’t intend, interfering with normal operation of the device.

Disclosure Timeline for R7-2015-27

Fri, Nov 13, 2015: Initial research and discovery by Mark Stanislav of Rapid7, Inc.

Mon, Nov 23, 2015: Initial contact to the vendor.

Tue, Dec 08, 2016: Details disclosed to CERT as VU#745448.

Thu, Jan 07, 2016: Disclosure details acknowledged by the vendor.

Tue, Jan 19, 2016: Issues addressed as reported by the vendor.

Tue, Feb 02, 2016: Public disclosure of R7-2015-27.

hereO GPS Platform

The hereO GPS Platform provides family members a connected and integrated means to easily keep track of the location and activity of each other through the use of both a multi-platform mobile application and a cellular-enabled watch that is targeted at use by children ranging in ages from 3-12 years old. Much like a traditional social network, family members can be invited into a group and then have varying levels of access to each other, determined by administrative users. Additional features of this platform include intra-family communication (i.e. messaging), notifications for people coming and/or going from a specific location (i.e. geo fences), and even a panic-alert function.

The issues for the hereO GPS Platform were disclosed to CERT under vulnerability note VU#213384.

Vulnerability R7-2015-24: Authorization Bypass

Through analysis of the hereO GPS Platform at software and network levels, it was determined that an authorization flaw existed within the platform’s web service (API) calls related to account invitations to a family’s group were not adequately protected against manipulation. Through the use of a pawn account that an attacker controls, they are able to send a request for authorization into a family’s group they are targeting, but by abusing an API vulnerability, allow their pawn account to accept that request on that targeted family’s behalf. The following diagram shows the effective attacker’s workflow used to conduct this attack.

Impact

By abusing this vulnerability, an attacker could add their account to any family’s group, with minimal notification that anything has gone wrong. These notifications were also found to be able to get manipulated through clever social-engineering by creating the attacker’s “real name” with messages such as, ‘This is only a test, please ignore.’

Once this exploit has been carried out, the attacker would have access to every family member’s location, location history, and be allowed to abuse other platform features as desired. Because the security issue applies to controlling who is allowed to be a family member, the rest of this functionality performs as intended and not itself any form of vulnerability.

Disclosure Timeline for R7-2015-24

Sat, Oct 24, 2015: Issue discovered by Mark Stanislav of Rapid7, Inc.

Thu, Oct 29, 2015: Internal review by Rapid7, Inc.

Mon, Nov 02, 2015: Initial vendor contact.

Tue, Nov 23, 2015: Details disclosed to CERT, VU#213384 assigned.

Tue, Dec 15, 2015: Details disclosed to the vendor.

Tue, Dec 15, 2015: Issue resolved as reported by the vendor.

Tue, Feb 02, 2016: Public disclosure of R7-2015-24.

Conclusions

This research helps to further underline the nascency of the Internet of Things with regard to information security. While many clever & useful ideas are constantly being innovated for market segments that may have never even existed before, this agility into consumers’s hands must be delicately weighed against the potential risks of the technology’s use.

Still, it’s important to be mindful that all technologies contain bugs that can often impact the security of the ecosystem powering a sometimes complex mixture of protocols, standards, and components. While the issues explained here were detrimental to their user’s privacy and safety, they were also issues that we’ve seen so many organization’s make.

For this reason, it’s critical that vendors creating the next generation of IoT products & platforms leverage industry initiatives, such as BuildItSecure.ly and OTA’s IoT Trust Framework, to better the security of these technologies before they enter consumer’s hands and homes.

If you’re curious about some of the techniques to approach research such as this, please take a look at a previously published primer on IoT hacking that discusses some of the approaches and technologies used to conduct this research.