Yet another Internet of Things (IoT) product designed for kids has been shown to be pockmarked with privacy holes.
This time, it’s a tablet called LeapPad Ultimate that security researchers found to have issues that opened the door to creeps tracking children’s physical locations, sending creepster messages to them, or launching man-in-the-middle (MitM) attacks that could have snared sensitive information, including parents’ credit card data.
Scary, but the news has a silver lining: The vendor, LeapFrog, took the issues seriously and jumped on remediation lickety-split. Now all that’s left is for parents to scrape a chat app – Pet Chat – off of older tablets, as in, devices older than three years. In June 2019, LeapFrog confirmed that it had already done so on new tablets being sold in stores.
The news about LeapFrog was released at Black Hat 2019 on Wednesday by the application security testing company Checkmarx.
A rugged little thing… with holes in its shell
As Checkmarx described the tablet in a report issued on Wednesday, the LeapPad is in many ways a perfect first gizmo for kids: it’s rugged, doesn’t require Wi-Fi, and can keep tots entertained in waiting rooms or on long car trips with its kid-friendly educational apps, all without letting the little chicks wander free-range on the savage savannah of the internet.
A Kindle or iPad certainly offers plenty of apps, and even some access restrictions, but generally doesn’t provide the kind of insulation from the internet that many parents want for their young children.
However, after Checkmarx tested the LeapPad Ultimate tablet, it found that the tablet was nonetheless exposing its belly.
The problem: Pet Chat. The app lets users talk to each other in a chat room, using pet avatars and some preset phrases and emoticons. Users can only communicate with those phrases. So where’s the harm in that?
Well, thanks to a directory called Wireless Geographic Logging Engine (WiGLE) – a website that collates wireless hotspots around the world, consolidating location and information into a central database – it’s child’s play to find locations of children using the Pet Chat app. Checkmarx says that’s because Pet Chat creates a Wi-Fi Ad-Hoc connection that broadcasts to other compatible devices nearby using the SSID: PetChat.
Therefore, anybody can identify possible locations of LeapPads via Pet Chat, by finding them on public Wi-Fi or tracking their device’s MAC address.
Unfortunately, before LeapFrog leapt on a fix, Pet Chat wasn’t requiring authentication between a parent’s device and a child’s device. Anybody within range – 100 feet – could send a message to a kid’s device.
Another problem the researchers found was that outgoing traffic from a LeapPad tablet wasn’t encrypted with HTTPS. Instead, the tablets were sending messages in clear-text using the HTTP protocol. That leaves outgoing traffic vulnerable to MitM attacks.
What kind of traffic are we talking about? Highly sensitive data, including:
- Credit Card info: Brand of the card (Visa, MasterCard, etc.), name on the card, credit card number – missing six digits, expiration date, billing address, and phone number
- Parent’s info: Email, name, account balance, and address
- Child’s info: Name, gender, birth year, and birth month
While the credit-card numbers were missing six digits, another security hole meant that attackers could get those digits by setting up a convincing lookalike portal.
LeapSearch-portal phishing attacks
Another app on the tablet, a “child-safe” web browser called LeapSearch that only provides access to safe web content, also proved to be vulnerable to MitM attacks. In this case, researchers managed to modify the content of that “safe web” app to create what they called a “phishing version” of the portal.
It looked perfectly legit, but the researchers set it up to ask users for additional information, such as filling in the missing six digits of the credit card on file.
A model of proper response
LeapFrog done good. It responded fully and quickly. Checkmarx sent its full report to the vendor on 29 December 2018, was on a conference call about two weeks later with LeapFrog’s engineers and product managers (who asked the right questions vis-a-vis seeking more details so they could reproduce the issues), and released the first wave of fixes by 1 February 2019.
By 21 April 2019, LeapFrog told Checkmarx that it had also removed “potentially troublesome phrases” from Pet Chat. By 27 June 2019, the problematic Pet Chat app was disappeared from tablets in stores.
That kind of response is extremely heartening. There are far too many vendors who make technology that plays fast and loose with children’s privacy, enabling adults to contact kids. Often, they incur massive fines. TikTok comes to mind: the kid-addicting video-sharing app was hit with the biggest-ever fine in the US for violating the nation’s child privacy law. Then, the UK launched its own probe. All of this action came after the Federal Trade Commission noted that TikTok’s parent company was fully aware that “a significant percentage of users were younger than 13” and that it had “received thousands of complaints from parents that their children under 13 had created […] accounts”.
In spite of the complaints, FTC chair Joe Simons said that the company “still failed to seek parental consent before collecting names, email addresses and other personal information from users under the age of 13”.
Unfortunately, TikTok isn’t the only one. There was also My Friend Cayla, a Bluetooth-enabled talking/listening doll that’s gotten into trouble multiple times: Germany’s Bundesnetzagentur, the telecoms watchdog, called Cayla an “illegal espionage apparatus” that parents should destroy. Then, France said the IoT, smart, interactive Cayla was too blabby and eavesdroppy to put under the Christmas tree.
Here’s a wish, Fairy Godmother: try to get all IoT toy vendors to look to LeapFrog and leap to some conclusions about how to listen, and respond promptly, to reports about security holes in their products.