The revamp of this classic Christmas toy has a serious Bluetooth security flaw

Chatter phone
(Image credit: Best Buy)

Older readers will probably remember the Fisher-Price Chatter phone, a classic toy that almost always sells out during the holiday season. This year, however, buyers might get a little more than what they paid for - if not too much.

As reported by TechCrunch, the newly "smart" edition of the Chatter phone came with a modern twist - the device is essentially a Bluetooth speaker, with a built-in microphone (and the essential wobbly eyes).

That way, parents can hook it up to their mobile phones via Bluetooth, and chat away with their young ones for guaranteed hilarity.

But the problem is - there’s no secure pairing process. According to TechCrunch, anyone close enough can quite easily connect to the Chatter phone. As a result, Chatter can end up broadcasting audio from nearby smartphones and pick up on calls pretty much instantly.

Investigating the claims

In a statement, the device’s manufacturer Mattel said the phone, “will time out if no connection is made or once the pairing occurs — it is only discoverable within a narrow window of time and requires physical access to the device.” 

However, in TechCrunch’s tests, the connection did not time out even after an hour. Mattel also said it was “committed to security” and that it would be “investigating” the claims.

Ken Munro, founder of the cybersecurity company Pen Test Partners, who also tested the device, said the flaw could be leveraged by malicious actors or neighbors.

“It doesn’t need kids to interact with it in order for it to become an audio bug. Just leaving the handset off is enough,” said Munro.

The first Chatter phone was released some 60 years ago, and while the old (Bluetooth-less) toys cost around $7, the new one will set you back $60. The device is battery-powered and lasts up to nine hours on a single charge, the company claims. 

You might want to check out our list of the best endpoint protection software right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.