Skip to content
Naked Security Naked Security

The cool retro phone with a REAL DIAL… plus plenty of IoT problems

You know you want one, because this retro phone is NOT A TOY... except when it comes to cybersecurity.

The picture you see above is not only a real Fisher-Price product, released in the second decade of the 21st century…

…but is also officially NOT A TOY!

Sure, it looks like a Chatter Phone toy, with an external appearance that adults of all ages will recognise, perhaps from having had one, played with one, or at least seen one in the toy store all those years ago.

Even when the mobile phone age arrived, the Chatter Phone retained its dial (an actual dial-shaped dial!), its cheese-dish phone styling, and its sideways receiver.

Fascinatingly, “keeping it retro” has been part of telephony ever since the second generation of telephone instruments came out in the century before last.

We carried on referring to the combined mouthpiece-and-loudspeaker component as a “receiver”, and we talked about “replacing the receiver”, long after the receiver ceased to be a separate item that contained just a loudspeaker. (Originally, only the receiver could be lifted up and replaced, because the mouthpiece – the sender – was typically built into the body of the instrument itself.)

And we kept on putting the receiver “back on the hook” to end a call long after phones had either receivers or hooks.

To this day – in fact, in this era of outsourced phone support and faraway call centres, perhaps more so than ever – we “continue to hold” even though Bluetooth headsets mean there is nothing to hold onto any more, and we still “dial” calls, although we now use a “keypad” to do so.

Of course, not only is it no longer a dial, it’s not even a keypad these days: it’s usually a touch screen with no actual keys or buttons at all.

The only thing that didn’t catch on in telephony, and perhaps we can all be thankful for this, is Alexander Graham Bell’s preferred telephonic greeting of “Ahoy!” – though for all we know a future generation of pirate-talking techies might revive this ancient rite.

[I know it’s the day before the day before Christmas, but can we get to the phone bugs already? Ed.]

This is NOT A TOY

Ah, yes.

Back to the Fisher-Price “NOT A TOY” Chatter Telephone with Bluetooth.

They’re not really for children, which is just as well because retro-loving adults seem to have bought them all up. ($60 at Best Buy, out of stock at our closest US store, which turns out to be 4900km away from Oxfordshire, in Bangor, Maine.)

In fact, if you’re a techie and you hadn’t heard of this product before, we suspect you secretly want one now, because [a] childhood memories, [b] ultimate happy/hippie/retro look, [c] the dial actually works, so you can actually dial calls, with an actual dial!

IoT FTW!

But you know where this is going, and you can probably guess who took it there – our chums Pen Test Partners (PTP), just down the road (or not far along the old railway line that’s currently being rebuilt) in Buckinghamshire, the next county over.

PTP wanted one of these phones, just like you do, but their closest Best Buy is also in Maine, so they decided to ask a friend in North America to order one (even he had to wait six weeks!), and conducted their research remotely.

Great circle route to closest US Best Buy from the counties of Oxon and Bucks.

Elegantly simple

The Chatter Telephone with Bluetooth is elegantly simple : the device is basically a bluetooth “headset”, with the added ability to accept numeric input (plus the all-important hash/pound and star symbols) via the rotary dial.

We don’t how how or if you can dial the plus symbol for overseas calls, but many countries let you use a special digit sequence instead.

So, the Chatter Telephone doesn’t take a SIM card itself; instead, it pairs with a regular mobile phone and acts, if you like, as a sort of extension – a happy, smiley, cheerful, brightly coloured, child-like extension phone with an actual rotary dial.

But despite its minimalistic functionality, PTP found that there had nevertheless been plenty of room for Fisher-Price to leave out the sort of cybersecurity features you might have expected.

Notably, PTP found that:

  1. The Chatter Phone has no Bluetooth pairing security. So, anyone in range of an unpaired device could hook it up to their phone instead of yours.
  2. Pairing your own phone with the Chatter Phone doesn’t lock other people out. You’d hope, despite flaw (1), that once you’d paired your device with the Chatter Phone, it would need to be reset before it could be paired again. Apparently, however, simply taking the paired mobile phone out of range – as you typically do every time you leave the house, for example – opens up the Chatter Phone up to everyone else again.
  3. The Chatter Phone can act like an intercom. When off the hook but not on a call, the device will relay audio back and forth to the mobile phone it’s paired with. A child who plays with the device could therefore end up in a creepy conversation with someone outside the household, or a Chatter Phone inadvertently left off-hook in your lounge or home office could turn into a bugging device.
  4. The Chatter Phone will auto-answer calls if left off the hook. In theory, this means that if the Chatter Phone is paired with and currently locked onto your own mobile phone, anyone calling your phone might end up snooping on the room. This could happen more easily than you think, for example if your child didn’t replace the receiver perfectly after making a pretend call.

(Try telling your kids that the Chatter Phone is NOT A TOY, even though it looks exactly like the one that Grandma dug out of the attic that IS A TOY.)

As PTP points out, the pairing-is-just-too-easy problem could be solved simply by adding a “press to pair” button on the phone itself, so that you would need physical access to the Chatter Phone to initiate a connection with it.

That way, the Chatter Phone wouldn’t be able to hook up unintentionally with a stranger just because its currently paired phone went out of range (or ran out of battery, or had Bluetooth turned off).

And a simple timeout to shut down the Chatter Phone if the receiver remained “open-circuit” when it was neither making nor receiving a call would surely help with the other flaws.

If the Chatter Phone shut off its audio connection automatically when it obviously wasn’t in use, and would only re-activate if the receiver were deliberately placed back on the hook and then lifted up again, you’d probably feel much safer against accidental (or deliberate) audio eavesdropping.

What to do?

If you’ve already bought one of these funky NOT A TOYs, try to remember to turn it off when you aren’t actually using it.

Although that defeats the purpose slightly, we suspect that you won’t want to make or take all your calls on the Chatter Phone (it may not actually be a toy, but it certainly looks like one, and we can’t help but assume that the voice quality makes it sound like one).

So, turning it on only when you want to re-live your childhood…

…seems like a simple precaution, at least until Fisher-Price puts out a firmware update, assuming that there’s a way to update it.


2 Comments

Fisher Price is a major toy seller, manufacturer, with lots of profit and financial resources. Isn’t there anyone in the organization who is checking these cheap Bluetooth toys and devices to verify that they work properly and do not interfere with other signals and cannot be randomly accessed? They could contract PTP for that job. Sounds like they gave an order to a low cost manufacturer to put some sort of electronics into their designed “phone” and never checked what they got before flooding the market. Why would anybody buy a toy phone that is not a toy phone to give to an infant to play with. Surely the people who bought them did not intend them as a Xmas present for Yuppies? However, Not being a Yuppie, I would like one for the feature of having a retro extension in the garage when I’m restoring my 1988 Raleigh, the one with the well designed but poor functioning Sturmey Archer SW 3 speed gear hub. No, I don’t carry my iPhone into the garage when working. They don’t work well when dropped on concrete or smothered in grease, oil and red paint.

Reply

The link below will reveal an excellent contemporary replacement for any SA hub. Like the SW series it has no freewheel springs (in fact it has no freewheel at all) and is therefore gloriously silent in operation. No shifter or cables needed either – you can chuck them away! The matching splined cogs are things of great beauty. Handmade in the USA:
https://www.whiteind.com/product/eno-eccentric-flip-flop/

PS. I suspect you meant 1958, not 1988. IIRC, the SW hub was unceremoniously dropped from the market by 1960. Sadly for your restoration, it was dropped for excellent reasons: it was terrible.

(Introducing the SW hub seems to have been one of those all-too-common-in-contemporary-IT decisions – let’s create a brand new SKU by taking a well-known product, adding extra complexity, using completely new and incompatible components, and reducing quality! This new product will solve an vital problem – it will run silently (at least, it will until it breaks) – that our customers don’t yet know they have. But once we tell them, we will create a booming market for the new version by making them credulously unhappy with the old one, even though it is otherwise better in every way.)

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!