Blog: Consumer Advice

Audio bugging with the Fisher Price Chatter Bluetooth Telephone

Ken Munro 22 Dec 2021

The Fisher Price Chatter Bluetooth Telephone is a reincarnation of a familiar kids toy. It acts as a Bluetooth headset, so the user can connect their smartphone to it and take calls using the kids phone handset. Cute!

Unfortunately, little to no consideration has been given to privacy and security, resulting in it becoming an audio bug in some circumstances.

TL;DR

  • The Fisher Price Chatter Bluetooth telephone uses Bluetooth Classic with no secure pairing process.
  • When powered on, it just connects to any Bluetooth device in range that requests to pair
  • This raises security concerns similar to My Friend Cayla here, in that audio bugging of both children and adults is possible in some circumstances
  • Someone nearby (next door house, next apartment, street outside) can connect their own Bluetooth audio device (smartphone / laptop etc) and use it to bug their neighbours
  • Someone nefarious nearby could also use the Chatter telephone to speak to and listen to a child in your home
  • Separately, if the phone handset is left off, it will AUTO ANSWER any call to a connected smartphone, in a kind of ‘reverse butt dial’
  • The same attacker can also make the Chatter phone ring, so an unsupervised child is likely to answer.

We believe that Fisher Price / Mattel should explain why they chose not to implement a more secure pairing process.

During initial exchanges, Mattel indicated that it was an adult toy and not for use by children. We find it hard to believe that children will not be given the phone to play with after the novelty wears off with the adult! Further, some of the audio bugging issues do not require interaction of a child or adult.

We don’t think this is acceptable. How have Fisher Price not learned from similar security issues exposed in children’s toys several years ago? An improved pairing process might involve an additional button press to force the device in to a mode that allows pairing.

Mitigations

Anyone already with the phone should ensure it is powered off when not explicitly in use.

  • Parents should supervise their child’s use of the phone

Normally, only one Bluetooth phone can connect to the Chatter telephone at a time. If a legitimate phone is connected, it is usually not possible to connect a rogue phone.

  • Hence, do not leave the Chatter telephone powered on if you leave your home with the smartphone that is connected to the Chatter telephone

The audio functions of the Chatter telephone will only allow bugging if the handset is picked up or knocked off, or the speakerphone button is pressed.

  • Adults should ensure that the handset is always replaced and the phone is turned off

Discussion

Fisher Price released their Bluetooth Chatter Telephone to much fanfare. I’ll be honest – I quite want one too! It brings back memories of my childhood.

The phone is currently only available from Best Buy in the USA and promptly sold out. We had a chat with Zack Whittaker of Tech Crunch, a lovely Brit based in NYC, who ordered one on our behalf. About 6 weeks later the phone arrived with him, so we worked through a test plan together.

In the meantime, we went hunting for the Bluetooth specs and instruction manuals.

The FCC filings are here: https://fccid.io/PIYHGJ69-21A5T though most of the entries were at the time still confidential.

Our work on My Friend Cayla some years ago showed a very similar issue. An attacker within Bluetooth range could simply connect a Bluetooth audio device (e.g. a smartphone) with no further security challenges and listen to the dolls microphone, or speak through its speaker to a child playing with the doll. This led to widespread concern from consumer protection groups such as Forbrukerrådet (the Norwegian Consumer Council) and product bans across multiple countries, led by Germany’s Federal Network Agency (Bundesnetzagentur).

There is one key difference between the issues with My Friend Cayla and the Chatter telephone: the audio is not enabled until the handset is lifted or speakerphone button is pressed. We do not think this sufficiently mitigates the problem though:

First, if the Chatter telephone is powered on, but the handset is left knocked off, as is quite possible when a child has played with it, the Chatter phone will auto-answer any incoming phone call to the connected smartphone, resulting in becoming an audio bug with no interaction from child or parent.

Second, the Chatter telephone will ring if the attached smartphone rings. An attacker would simply use two phones – one to pair with the Chatter phone and a second to call the first phone. The Chatter phone now rings, the innocent child answers and two way audio is established.

We think Mattel should be encouraged to take urgent action to address this issue.

A simple test plan

Needed: one Fisher Price Chatter Bluetooth Telephone, two smartphones (A&B)

Test 1: is there a secure pairing process, or can any phone in range connect?

Turn on Chatter phone. Connect smartphone A to the Chatter phone using Bluetooth. Are there any further steps / PINs etc required to get it to work? No, it just connects.

Turn Bluetooth off on phone A. This is to simulate the user leaving the house and going out of Bluetooth range.

Try to connect phone B to the Chatter phone, simulating someone else in range connecting to the Chatter phone. Does this work? Yes, though we don’t get audio until the Chatter phone handset is picked up, or is already off (see below).

Test 2: can you make the phone ring, so that an unattended child might answer it?

Connect phone A (attacker’s phone) to the Chatter phone. Call phone A from phone B (also in the hands of the attacker). Does the Chatter phone ring? Yes.

Next, if the handset it picked up what happens? Does the call connect and stay open? Yes.

Test 3: if the Chatter phone handset is left off (say a child has played with it and not replaced the handset) can you use the Chatter phone as an audio bug?

Take the handset off the Chatter phone.

Try the same test as test 2 above. Does the Chatter phone auto answer? Yes, it auto answers the call and audio can be heard in the room where the Chatter phone is located.

Now use just one smartphone. Connect it to the Chatter phone over Bluetooth whilst its handset is off. Is the mike/speaker audio enabled by default? Yes, audio in the room can be heard.

Test 4: power off behaviour

Turn on the Chatter phone. Leave it for a while. Does it power itself off, therefore reducing risk, or will it only turn off if the power button is pressed again? The phone stays powered on for a significant period of time. We haven’t yet had the phone power itself off before its battery runs out!