Fisher-Price's Chatter Phone Has a Simple But Problematic Bluetooth Bug (techcrunch.com) 27
An anonymous reader quotes a report from TechCrunch: As nostalgia goes, the Fisher-Price Chatter phone doesn't disappoint. The classic retro kids toy was given a modern revamp for the holiday season with the new release for adults which, unlike the original toy designed for kids, can make and receive calls over Bluetooth using a nearby smartphone. The Chatter -- despite a working rotary dial and its trademark wobbly eyes that bob up and down when the wheels turn -- is less a phone and more like a novelty Bluetooth speaker with a microphone, which activates when the handset is lifted. The Chatter didn't spend long on sale; the phone sold out quickly as the waitlists piled up. But security researchers in the U.K. immediately spotted a potential problem. With just the online instruction manual to go on, the researchers feared that a design flaw could allow someone to use the Chatter to eavesdrop.
Ken Munro, founder of the cybersecurity company Pen Test Partners, told TechCrunch that chief among the concerns are that the Chatter does not have a secure pairing process to stop unauthorized phones in Bluetooth range from connecting to it. Munro outlined a series of tests that would confirm or allay his concerns. [...] The Chatter doesn't have an app, and Mattel said the Chatter phone was released as "a limited promotional item and a playful spin on a classic toy for adults." But Munro said he's concerned the Chatter's lack of secure pairing could be exploited by a nearby neighbor or a determined attacker, or that the Chatter could be handed down to kids, who could then unknowingly trigger the bug. "It doesn't need kids to interact with it in order for it to become an audio bug. Just leaving the handset off is enough," said Munro.
Ken Munro, founder of the cybersecurity company Pen Test Partners, told TechCrunch that chief among the concerns are that the Chatter does not have a secure pairing process to stop unauthorized phones in Bluetooth range from connecting to it. Munro outlined a series of tests that would confirm or allay his concerns. [...] The Chatter doesn't have an app, and Mattel said the Chatter phone was released as "a limited promotional item and a playful spin on a classic toy for adults." But Munro said he's concerned the Chatter's lack of secure pairing could be exploited by a nearby neighbor or a determined attacker, or that the Chatter could be handed down to kids, who could then unknowingly trigger the bug. "It doesn't need kids to interact with it in order for it to become an audio bug. Just leaving the handset off is enough," said Munro.
I prefer the original (Score:4, Funny)
No security bugs, no batteries to charge, and best of all? No robocalls.
Re: (Score:2)
Re: (Score:2)
Time to Market (Score:2)
Did dropping the secure pairing feature allow Fisher-Price to stick to their production schedule and release this Chatter phone in time for the holiday season?
Just speculating.
Re: (Score:1)
Re: (Score:2)
Directional bluetooth antennas can get crazy distances compared to "normal" bluetooth.
In playing around with such we could pair a pc with the directional antenna to a headset easily at 100m distance and listen to the sounds coming from the PC.
Re: (Score:2)
You missed out on the articles on the Bluetooth Rifle, then. This is highly directional and has a range of 1.2 miles.
Re: Time to Market (Score:2)
No fucking way... I have heard of WiFi setups this way but Bluetooth is news to me.
Anymore details? What's it look like? Store bought or custom built? Reliability? That's stupid crazy range for Bluetooth...
Re: (Score:2)
This is the version you can get plans for.
https://www.smallnetbuilder.co... [smallnetbuilder.com]
https://www.smallnetbuilder.co... [smallnetbuilder.com]
https://www.wired.com/2004/08/... [wired.com]
Re: (Score:3)
Re: This is pretty damned funny (Score:2)
When I was a kid I had such a walkie talkie. Speaker also used as mic and orange "morse" key, GI-Joe themed. These were a very common item in toy stores throughout the 80s.
One day when I was using it, a ham radio operator cut in on the conversation and asked "what's a kid doing on here?". My mom took the walkie talkie and she had a bit of a conversation with him, explaining the situation and they both had a bit of a laugh.
Re: (Score:2)
It doesn't have a button. An app or a button do the same thing; allow you to control when it attempts to pair.
It has neither. That's how it is different.
Re: (Score:2)
But it does have a button.
"a novelty Bluetooth speaker with a microphone, which activates when the handset is lifted."
This is like saying landline phones were/are insecure because the person you dialed could listen in on what you're doing if you didn't hang up properly.
Re: "The Chatter doesn't have an app" (Score:2)
Different kind of button... Button to pair verses button to activate speaker/mic combo. They are saying anyone can pair with the device because it's always willing to accept pairing. Not sure this is true but seems to be the relevant security issue...
Walkie Talkie's Kill! (Score:3)
I'm wondering if this is really a marketing campaign designed as a "security alert". A "security alert" with "kids" in the title will get waaay more traction than, "Bluetooth rotary phone that acts like a walkie talkie."
It seems to me that anyone that is worried about their kid possibly hearing some words out of someones mouth ruining some kids life, needs therapy. Even if you gave one to every child on the planet, you might have this happen to 1 of these kids. If this actually happened to you, it would be a good teaching opportunity to let your kid know, that not everyone is nice. Slenderman and Smiley are not going to visit you because of this.
Have these folks complaining about this even heard what young kids are saying, while playing video games, to each other over their very securely paired Bluetooth headphones? If Fischer-Price goes down for this, then Sony and every older brother are ruined.
--
When in doubt, make no sense. No sense is good. And nonsense is good. - Genesis P-Orridge
Re: (Score:2)
"Bluetooth rotary phone that acts like a walkie talkie."
It's not just the ability to listen in on calls. Insecure pairing means anyone in range can pair it and use it as a microphone at any time, with no local interaction. That's a much higher level of privacy invasion.
Re: Walkie Talkie's Kill! (Score:2)
More so it's not marketed for kids. We can imagine all types taking rather private calls this way...
Steps (Score:2)
Step 1: buy Fisher-Price Chatter phone.
Step 2: let people eavesdrop.
Step 3: turn them into something... unnatural.
Step 4: Profit!
The Chatter doesn't have an app. So? (Score:2)
The Chatter doesn't have an app
And that's bad?
There's a device that has a chance to work in 6 months when others are bricked because the app disappears, doesn't support your slightly older Android version, doesn't work with iOS or requires an account and a high-speed internet connection to turn on a light bulb.
Re: (Score:2)
Re: (Score:2)
Never underestimate the manufacturers' willingness to require a stupid app, credentials, internet access and way too many permissions when none is needed.
CIA, NSA, Pentagon, (Score:2)
Re: CIA, NSA, Pentagon, (Score:2)
Work in a Faraday cage where local internet is a secure landline just so go you can talk on your chatter phone. Just you watch... the next James Bond will have this scene... I mean honestly they can't fuck it up the series anymore than they have.
Without an App (Score:2)
I do not think you folks have thought this through. Without an app, how are you going to get notifications of products and services that the manufacturer thinks may be of interest to you?
That is not something you want to have to figure out on your own, and is best left to professionals.