Children's tablet leaks location and enables unsolicited messages from strangers

child using tablet
(Image credit: Shutterstock)

Security researchers have discovered serious security vulnerabilities in LeapFrog's popular children's LeapPad Ultimate tablets that could allow a hacker to track the location of a child and talk to them through the device's in-built chat app 'Pet Chat'.

Researchers from Checkmarx used a site called WiGLE which allowed anyone to search for a child's location by simply searching for SSIDs that included 'PetChat' because the app created a Wi-Fi ad-hoc connection whenever it was being used. Locations could then be discovered on public Wi-Fis and tracked MAC addresses.

Another issue discovered was that Pet Chat didn't require any authentication between a parent's and child's device which meant that anyone within a 100ft radius could send a message to a child through the app.

Combining these two in large cities could result in awful consequences. Researchers proved that evil attackers could easily scan cities for locations that were highly populated with children and send messages such as "Let's go! Play outside together".

In a separate vulnerability, researchers proved that the same devices were also susceptible to man-in-the-middle (MiM) attacks using Wi-Fi Pumpkin, a rogue access point framework.

Using Wi-Fi Pumpkin, attackers can spoof an existing Wi-Fi network, such as a restaurant's, and then force users who were already connected to the original network onto the spoofed one created by the attackers.

LeapPad devices were especially vulnerable to this attack because their outgoing traffic wasn't encrypted over HTTPS, instead, it used a clear text HTTP protocol which allowed attackers to steal sensitive information from the device including credit card information, account balances, name and address of the parents. Additionally, the name, gender, birth year and birth month of the child were also harvestable.

"The vulnerabilities we uncovered during this research would likely create worrying scenarios for parents, concerning their children's usage of LeapPad," said David Sopas, application security research team leader. "LeapFrog did take several measures to secure these tablets to protect children. However, just a few vulnerabilities can be combined to create some very harmful attack results."

These issues highlight a consistent trend with IoT-enabled devices just not being built with security at the forefront of the manufacturer's priorities.

"IoT devices are often the weak link in the network because manufacturers have not designed them with security in mind and consumers do not have the tools or knowledge to enable them to secure the devices after they've purchased them," said Cody Brocious, head of hacker education at HackerOne.

"Security experts have been warning for years about the security risks introduced by insecure smart home assistants, connected children's toys and baby monitors, smoke detectors, door locks, smart cameras, smart TVs, smart speakers, wearable health trackers and connected washing machines," he added.

When Brocious said experts have been warning the world about unsecured IoT devices, that's no understatement. In 2015, IT Pro first reported on a hackable Barbie doll which could be used to spy on children, listening in to their conversations by hijacking the doll's microphone.

Two years later in 2017, it was revealed the industry still hadn't made a concerted effort to address the worrying issue. Research indicated that four in seven of the most popular IoT-enabled children's toys contained security flaws that would allow hackers to talk directly to a child.

LeapFrog has patched all the vulnerabilities brought to them by Checkmarx, who said the company exhibited "lightning-fast responsiveness", and removed Pet Chat entirely from all devices.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.