Children's tablet leaks location and enables unsolicited messages from strangers

LeapFrog's LeapPad tablets are some of the most popular among young children and until recently, highly unsecure

Child using tablet

Security researchers have discovered serious security vulnerabilities in LeapFrog's popular children's LeapPad Ultimate tablets that could allow a hacker to track the location of a child and talk to them through the device's in-built chat app 'Pet Chat'.

Researchers from Checkmarx used a site called WiGLE which allowed anyone to search for a child's location by simply searching for SSIDs that included 'PetChat' because the app created a Wi-Fi ad-hoc connection whenever it was being used. Locations could then be discovered on public Wi-Fis and tracked MAC addresses.

Another issue discovered was that Pet Chat didn't require any authentication between a parent's and child's device which meant that anyone within a 100ft radius could send a message to a child through the app.

Combining these two in large cities could result in awful consequences. Researchers proved that evil attackers could easily scan cities for locations that were highly populated with children and send messages such as "Let's go! Play outside together".

In a separate vulnerability, researchers proved that the same devices were also susceptible to man-in-the-middle (MiM) attacks using Wi-Fi Pumpkin, a rogue access point framework.

Using Wi-Fi Pumpkin, attackers can spoof an existing Wi-Fi network, such as a restaurant's, and then force users who were already connected to the original network onto the spoofed one created by the attackers.

LeapPad devices were especially vulnerable to this attack because their outgoing traffic wasn't encrypted over HTTPS, instead, it used a clear text HTTP protocol which allowed attackers to steal sensitive information from the device including credit card information, account balances, name and address of the parents. Additionally, the name, gender, birth year and birth month of the child were also harvestable.

"The vulnerabilities we uncovered during this research would likely create worrying scenarios for parents, concerning their children's usage of LeapPad," said David Sopas, application security research team leader. "LeapFrog did take several measures to secure these tablets to protect children. However, just a few vulnerabilities can be combined to create some very harmful attack results."

These issues highlight a consistent trend with IoT-enabled devices just not being built with security at the forefront of the manufacturer's priorities.

"IoT devices are often the weak link in the network because manufacturers have not designed them with security in mind and consumers do not have the tools or knowledge to enable them to secure the devices after they've purchased them," said Cody Brocious, head of hacker education at HackerOne.

"Security experts have been warning for years about the security risks introduced by insecure smart home assistants, connected children's toys and baby monitors, smoke detectors, door locks, smart cameras, smart TVs, smart speakers, wearable health trackers and connected washing machines," he added.

When Brocious said experts have been warning the world about unsecured IoT devices, that's no understatement. In 2015, IT Pro first reported on a hackable Barbie doll which could be used to spy on children, listening in to their conversations by hijacking the doll's microphone.

Two years later in 2017, it was revealed the industry still hadn't made a concerted effort to address the worrying issue. Research indicated that four in seven of the most popular IoT-enabled children's toys contained security flaws that would allow hackers to talk directly to a child.

LeapFrog has patched all the vulnerabilities brought to them by Checkmarx, who said the company exhibited "lightning-fast responsiveness", and removed Pet Chat entirely from all devices.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Security best practices for PostgreSQL

Securing data with PostgreSQL

Download now

Transform your MSP business into a money-making machine

Benefits and challenges of a recurring revenue model

Download now

The care and feeding of cloud

How to support cloud infrastructure post-migration

Watch now

Recommended

Hackers leak data from dark web marketplace
cyber security

Hackers leak data from dark web marketplace

9 Apr 2021
How to encrypt files and folders in Windows 10
encryption

How to encrypt files and folders in Windows 10

9 Apr 2021
The definitive guide to IT security
Whitepaper

The definitive guide to IT security

9 Apr 2021
Evidence suggests REvil behind Harris Federation ransomware attack
ransomware

Evidence suggests REvil behind Harris Federation ransomware attack

9 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Data belonging to 500 million LinkedIn users found for sale on hacker marketplace
hacking

Data belonging to 500 million LinkedIn users found for sale on hacker marketplace

8 Apr 2021
Alienware’s new gaming laptop is a kick in the teeth for Intel’s new CEO
Hardware

Alienware’s new gaming laptop is a kick in the teeth for Intel’s new CEO

8 Apr 2021