Security vulnerabilities in a popular children's tablet could have allowed attackers to collect sensitive information about its young users, as well as enabling hackers to steal their parents' names, address and credit card details.
The LeapPad Ultimate tablet from LeapFrog is designed to provide children with access to educational apps, games and videos in a safe environment on a device that offers limited access to the internet, thus preventing the child stumbling across inappropriate content online.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
However, researchers at cybersecurity company CheckMarx examined the LeapPad Ultimate – used by children across the UK and the US – and found vulnerabilities that could put the privacy of the child and their parents at risk.
"The first thing we found is that some of LeapFrog's communications aren't encrypted. It's using very simple HTTP protocol, storing information in clear text and allowing an attacker to become a man-in-the-middle," Erez Yalon, director of security research at Checkmarx, told ZDNet.
By using a rogue-access point framework commonly used by attackers, researchers found they were able to spoof the existing connection and force the device onto the new rogue network.
"We controlled all the information that came and went to the device," Yalon explained.
By combining this with a cross-site scripting vulnerability for injecting malicious scripts into the rogue network, researchers found they were able to access data – including sensitive information about the child, such as their name, gender, birth year and birth month.
This technique could also allow attackers to steal information about the parents, such as their name, email, home address and phone number, as well as providing attackers with access to credit card information, including most of the card number and its expiration date.
With the LeapPad compromised by the man-in-the-middle attack, it was relatively simple for researchers to construct a phishing attack designed to steal the missing credit card numbers.
The tablet's LeapSearch browser doesn't display a URL bar – to prevent the child actively using it – but because it was hidden like this, it allowed researchers to create a spoofed version of the LeapFrog website that looked like the real thing.
They then set up the page so it claimed the account was locked and asked for the numbers missing from the credit card information to unlock the page. If a real victim fell for this, they'd be handing their credit card information to the attackers.
There are several security and privacy issues in LeapPad allowing attackers to steal data, but researchers also found something else – it was possible to narrow down the location of devices due to how the LeapPad Ultimate connects to other devices.
The Pet Chat app on the LeapPad Ultimate lets users communicate in a chat room using pet avatars and pre-set phrases. However, due to the app attempting to make ad-hoc network connections with nearby devices, the researchers were able to use WiGLE – a website for collecting information about wireless hotspots – to find Pet Chat users in the vicinity.
SEE: Data, AI, IoT: The Future of Business (ZDNet special report)
In each case, the name of the connection was Pet Chat, potentially enabling a malicious user to determine whether there are children nearby using the application.
"This is a bit more troubling because we move here from what is privacy and information security to physical security – which isn't common when you breach privacy," said Yalon.
In addition to this, researchers found that the Pet Chat protocol didn't require any authentication between devices, meaning anyone running Pet Chat within 100ft of a user could send messages to the child's device, albeit in the set phrases allowed by Pet Chat, something that could potentially put the child at risk.
CheckMarx uncovered the vulnerabilities late last year and has worked with LeapFrog to fix them.
"We thank CheckMarx for bringing these security issues to our attention, as the safety of the children who use our products is our top priority," said Mari Sunderland, VP of digital product management at LeapFrog Enterprises.
While the attacks haven't thought to have been used in the wild, for Yalon, the research demonstrates the importance of securing devices – particularly if children are the audience.
"When you know that the main users of your device will be children, the standards you need to put on your R&D need to the highest: military grade. Vendors should be very responsible and understand that privacy issues for children are much worse. All this needs to be taken into account to make sure your solution is as safe as possible," he said.