Fisher-Price Chatter Phone Bluetooth Bug

The Fisher-Price Chatter Phone: A Retro Toy with Modern Security Concerns

The Fisher-Price Chatter Phone, a beloved toy evoking strong feelings of nostalgia, recently received an adult-oriented update. This reimagined version, released for the holiday season, incorporates Bluetooth technology, enabling calls via a connected smartphone – a departure from the original’s function as a children’s toy.

Functionality and Initial Response

Despite featuring a functional rotary dial and the iconic, wobbling eyes, the adult Chatter Phone operates more as a Bluetooth speaker with a microphone. Activation occurs when the handset is lifted from its cradle.

Demand for the Chatter Phone proved exceptionally high, leading to rapid sell-outs and extensive waitlists. However, this popularity was quickly tempered by security concerns raised by researchers.

Security Vulnerabilities Discovered

Cybersecurity experts in the U.K. identified a potential security flaw based solely on the device’s online instruction manual. Their primary concern centered around the possibility of unauthorized eavesdropping.

Ken Munro, founder of Pen Test Partners, highlighted the lack of a secure pairing process as a key vulnerability. This deficiency could allow unauthorized Bluetooth devices within range to connect to the Chatter Phone.

Testing the Vulnerabilities

To validate these concerns, TechCrunch acquired a Chatter Phone after monitoring its availability and conducted a series of tests.

Initial testing involved activating the phone’s Bluetooth connection, pairing a device, and then simulating a disconnection by moving the paired phone out of range. Subsequently, another phone was paired without obstruction, granting remote control over the Chatter Phone’s audio.

Mattel’s Response and Further Investigation

Mattel stated that the device is designed to time out after a pairing occurs or if no connection is established, and that it is only discoverable for a limited time, requiring physical access. However, testing revealed that the Bluetooth pairing process remained active for over an hour.

Further tests involved calling the connected Chatter Phone, which rang as expected. Critically, a subsequent call made while the handset was off the hook resulted in the phone automatically answering, activating the microphone and transmitting ambient audio.

Past Precedents and Potential Exploitation

Pen Test Partners previously uncovered a similar Bluetooth vulnerability in the “My Friend Cayla” doll. This toy could be paired with unauthorized phones when a parent’s device was out of range, and was ultimately removed from shelves after being found to record children’s conversations.

While the Chatter Phone lacks an accompanying app, Mattel describes it as a “limited promotional item” and a playful adaptation of a classic toy. Munro expressed concern that the insecure pairing could be exploited by individuals nearby or that the device could be passed on to children, inadvertently triggering the vulnerability.

“The device doesn’t require interaction from children to become an audio surveillance tool; simply leaving the handset off the hook is sufficient,” Munro explained.

Mattel’s Commitment to Security

Upon being informed of the findings, Mattel spokesperson Kelly Powers stated the company is “committed to security and we will be investigating these claims.”