Children's tablet leaks location and enables unsolicited messages from strangers

LeapFrog's LeapPad tablets are some of the most popular among young children and until recently, highly unsecure

Child using tablet

Security researchers have discovered serious security vulnerabilities in LeapFrog's popular children's LeapPad Ultimate tablets that could allow a hacker to track the location of a child and talk to them through the device's in-built chat app 'Pet Chat'.

Researchers from Checkmarx used a site called WiGLE which allowed anyone to search for a child's location by simply searching for SSIDs that included 'PetChat' because the app created a Wi-Fi ad-hoc connection whenever it was being used. Locations could then be discovered on public Wi-Fis and tracked MAC addresses.

Another issue discovered was that Pet Chat didn't require any authentication between a parent's and child's device which meant that anyone within a 100ft radius could send a message to a child through the app.

Combining these two in large cities could result in awful consequences. Researchers proved that evil attackers could easily scan cities for locations that were highly populated with children and send messages such as "Let's go! Play outside together".

In a separate vulnerability, researchers proved that the same devices were also susceptible to man-in-the-middle (MiM) attacks using Wi-Fi Pumpkin, a rogue access point framework.

Using Wi-Fi Pumpkin, attackers can spoof an existing Wi-Fi network, such as a restaurant's, and then force users who were already connected to the original network onto the spoofed one created by the attackers.

LeapPad devices were especially vulnerable to this attack because their outgoing traffic wasn't encrypted over HTTPS, instead, it used a clear text HTTP protocol which allowed attackers to steal sensitive information from the device including credit card information, account balances, name and address of the parents. Additionally, the name, gender, birth year and birth month of the child were also harvestable.

"The vulnerabilities we uncovered during this research would likely create worrying scenarios for parents, concerning their children's usage of LeapPad," said David Sopas, application security research team leader. "LeapFrog did take several measures to secure these tablets to protect children. However, just a few vulnerabilities can be combined to create some very harmful attack results."

These issues highlight a consistent trend with IoT-enabled devices just not being built with security at the forefront of the manufacturer's priorities.

"IoT devices are often the weak link in the network because manufacturers have not designed them with security in mind and consumers do not have the tools or knowledge to enable them to secure the devices after they've purchased them," said Cody Brocious, head of hacker education at HackerOne.

"Security experts have been warning for years about the security risks introduced by insecure smart home assistants, connected children's toys and baby monitors, smoke detectors, door locks, smart cameras, smart TVs, smart speakers, wearable health trackers and connected washing machines," he added.

When Brocious said experts have been warning the world about unsecured IoT devices, that's no understatement. In 2015, IT Pro first reported on a hackable Barbie doll which could be used to spy on children, listening in to their conversations by hijacking the doll's microphone.

Two years later in 2017, it was revealed the industry still hadn't made a concerted effort to address the worrying issue. Research indicated that four in seven of the most popular IoT-enabled children's toys contained security flaws that would allow hackers to talk directly to a child.

LeapFrog has patched all the vulnerabilities brought to them by Checkmarx, who said the company exhibited "lightning-fast responsiveness", and removed Pet Chat entirely from all devices.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

'Robin Hood' hackers donate stolen Bitcoin to charity
ransomware

'Robin Hood' hackers donate stolen Bitcoin to charity

21 Oct 2020
Mobile browser flaw exposes users to spoofing attacks
Security

Mobile browser flaw exposes users to spoofing attacks

21 Oct 2020
Lumen's digital portal simplifies the ordering of IT solutions
Business strategy

Lumen's digital portal simplifies the ordering of IT solutions

20 Oct 2020
US charges six Russians behind NotPetya and Olympics hacks
Security

US charges six Russians behind NotPetya and Olympics hacks

20 Oct 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
Google blocked record-breaking 2.5Tbps DDoS attack in 2017
Security

Google blocked record-breaking 2.5Tbps DDoS attack in 2017

19 Oct 2020
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

5 Oct 2020