Fisher-Price's Chatter phone has a simple but problematic Bluetooth bug
As nostalgia goes, the Fisher-Price Chatter phone doesn't disappoint. The classic retro kids toy was given a modern revamp for the holiday season with the new release for adults which, unlike the original toy designed for kids, can make and receive calls over Bluetooth using a nearby smartphone.
The Chatter — despite a working rotary dial and its trademark wobbly eyes that bob up and down when the wheels turn — is less a phone and more like a novelty Bluetooth speaker with a microphone, which activates when the handset is lifted.
The Chatter didn't spend long on sale; the phone sold out quickly as the waitlists piled up. But security researchers in the U.K. immediately spotted a potential problem. With just the online instruction manual to go on, the researchers feared that a design flaw could allow someone to use the Chatter to eavesdrop.
Ken Munro, founder of the cybersecurity company Pen Test Partners, told TechCrunch that chief among the concerns are that the Chatter does not have a secure pairing process to stop unauthorized phones in Bluetooth range from connecting to it.
Munro outlined a series of tests that would confirm or allay his concerns. Since the Chatter is only available in the U.S. and was persistently sold out, TechCrunch set a page monitor to tell us when it was back in stock, bought one, and started testing.
First, we switched on the Chatter phone, which activates its Bluetooth connection, paired a phone over Bluetooth, then switched off Bluetooth to simulate someone walking the phone out of range. We then paired another phone with the Chatter without hindrance, allowing us to remotely control the Chatter's audio.
Mattel, which makes the Chatter phone, said the phone "will time out if no connection is made or once the pairing occurs — it is only discoverable within a narrow window of time and requires physical access to the device." We left the Chatter on and found the Bluetooth pairing process did not time out after more than an hour.
Then, Munro asked what would happen if we called the phone connected to the Chatter. Sure enough, the Chatter rang — loudly — as expected. Then we called the Chatter again, this time without properly replacing its receiver. With the handset off the hook, the Chatter automatically answered the call, immediately activating the handset's microphone and allowing us to hear ambient background audio.
Several years ago, Pen Test Partners found a similar Bluetooth vulnerability in a child's toy doll called My Friend Cayla, which the researchers found could be paired with another person's phone if the parent's phone goes out of range. The toy was eventually pulled from shelves after it was found the doll, when connected to its app, was recording what children were saying.
The Chatter doesn't have an app, and Mattel said the Chatter phone was released as "a limited promotional item and a playful spin on a classic toy for adults." But Munro said he's concerned the Chatter's lack of secure pairing could be exploited by a nearby neighbor or a determined attacker, or that the Chatter could be handed down to kids, who could then unknowingly trigger the bug.
"It doesn't need kids to interact with it in order for it to become an audio bug. Just leaving the handset off is enough," said Munro.
When reached about the findings, Mattel spokesperson Kelly Powers said the company is "committed to security and we will be investigating these claims."