In September 2015, American giant Fisher-Price launched a whole range of "intelligent" toys. Among the connected playthings was the Smart Teddy Bear which promised all kinds of high-tech functions, including announcing the name of its young owner.
Today, a few months after the cuddly 2.0 toy hit shelves, security information company Rapid7 have revealed failures in the toy's platform that make it entirely vulnerable to any malicious hacker. As such, it's possible to procure a variety of personal details about the children in charge of the fuzzy spy, including name, age, sex, language, and the email address linked to the product.
Beyond simply obtaining information, the hacker could "could effectively force the toy to perform actions that the child user didn't intend, interfering with normal operation of the device", explains Rapid7.
What's more the report goes on to state that seemingly harmless data could be "combined later with a more complete profile of the child in order to facilitate any number of social engineering or other malicious campaigns against either the child or the child's caregivers."
Following the security alert, Fisher-Price responded with a press release stating that it had "remediated the situation" and that it has "no reason to believe that customer information was accessed by any unauthorised person."
While there is no concrete proof that remote users were hacking the bears, this kind of security loophole would release enough information to launch a phishing attack, explains the Guardian. And indeed, names and children's dates of birth are very often used by parents as passwords.
Maybe teddy bears were just not meant to be smart.