Researchers at the Black Hat security conference this week have revealed vulnerabilities in a leading child's tablet product.
The researchers, from security company Checkmarx, found several flaws in the LeapPad Ultimate, a rugged tablet device by LeapFrog, ThreatPost reported today.
The flaws revolved around Pet Chat, an app that lets children talk to each other in a virtual room using pet avatars and predefined phrases. The app creates a peer-to-peer Wi-Fi connection (also known as Ad Hoc mode) that broadcasts the tablet's presence to similar devices using the SSID Pet Chat.
Checkmarx researchers used WiGLE, a wireless network mapping website, to track the location of LeapPads using Pet Chat. The vulnerability would allow anyone online to find the location of a LeapPad using Pet Chat by seeking them out on public Wi-Fi or tracking the device's MAC address.
Because Pet Chat didn't require authentication between devices, anyone near a LeapPad running the app could send an unsolicited message to the child with it, potentially using the preset phrases to lure the child into danger.
The LeapPad's outgoing traffic was also unencrypted, using HTTP rather than the TLS/SSL-encrypted HTTPS, the researchers warned.
They disclosed the Pet Chat vulnerability to LeapFrog in December 2018, although the company didn't remove it until June 2019.
This isn't the first time that children have been exposed by technology that purports to help them. In February, security consulting firm Pen Test Partners discovered that cybersecurity in children's smart watches had failed to improve following a report from the Norwegian Consumer Council in early 2018. The European Commission issued a recall order for one smartwatch, called Safe-KID-One, from German company ENOX, which sent information including location history and phone numbers in the clear. Malicious users could send commands to any watch making it call another number of their choosing.
LeapFrog didn't return our request for comment by press time.