Developers of the LeapPad Ultimate have since issued fixes

The Internet of Things (IoT) ecosystem continues to produce devices that are all too easy for an attacker to access – including ones used by children.

A new report from researchers at Checkmarx has found multiple vulnerabilities in a popular tablet used by kids aged three to nine.

LeapFrog’s LeapPad Ultimate, which comes with an assortment of interactive apps for educational and entertainment purposes, provided opportunity for an attacker to locate users and send unauthenticated messages between devices, researchers said.

This was due to a lack of security protocols in a number of the tablet’s applications, including Pet Chat – a chat room where children can communicate by using pets as avatars.

Since Pet Chat produced a WiFi ad-hoc connection in order to find other compatible devices, an attacker could easily find a user’s location via public WiFi and network scanning tools such as WiGLE, researchers said.

With no way of authenticating users, an attacker could also send messages to any device within 100 feet.

Pet Chat has since been removed from LeapPad Ultimate devices.

Another vulnerability found in the product made users susceptible to man-in-the-middle (MitM) attacks, where an attacker was able to gain access to sensitive information, partly due to the use of the clear-text HTTP protocol, meaning data was unencrypted.

An attacker could force LeapPad Ultimate users onto a spoofed WiFi network and then gain access to credit card information, emails, names, phone numbers, and dates of birth.

Checkmarx said that there was no evidence that the vulnerabilities had been exploited by malicious actors, and that LeapFrog had responded to its security report in a timely fashion.

“The seriousness LeapFrog demonstrated, and its lightning-fast responsiveness, deserves commendation,” Erez Yalon, head of security research at Checkmarx, told The Daily Swig.

“LeapFrog responded to our report in a timely manner, updated us on their internal process, made sure their engineers talked directly to our researchers, confirmed they had released fixes soon after they acknowledged our findings and went the extra mile of completely removing Pet Chat from stores.”

The vulnerabilities were first reported to LeapFrog on December 29 last year. Work on the issues took place in the weeks that followed, with fixes put out in February, April and June, respectively.

“When it comes to the disclosure process, vendor responsiveness can vary due to a variety of factors,” Yalon said.

“Overall though, they understand both the importance of these flags we raise and timely remediation.”

Yalon and his team at Checkmarx work with vendors regularly to help them build security first software in order to drive industry change.

They’ve previously pointed out concerning vulnerabilities found in consumer products such as the Amazon Echo and Lenovo Watch X.

“Companies are slowly adjusting to incorporating security at the start of the software development lifecycle, rather than in the middle or end, but we have a long way to go until this is a widely-adopted practice,” he said.

“Often times, when we disclose vulnerabilities such as this, it serves as a major wakeup call to overhaul the development process and ensure that security becomes top-of-mind.

“In these efforts, we hope that the wakeup call is not only one for that specific vendor, but to all others as well.”

Users are advised to check whether Pet Chat is still installed on their LeapPad Ultimate, and manually disable the application. Devices that are three-years and older may still be vulnerable.

Mari Sunderland, vice president of digital product management at LeapFrog Enterprises, said: “We thank Checkmarx for bringing these security issues to our attention, as the safety of the children who use our products is a top priority.”

The Daily Swig has reached out to LeapFrog for additional comment.


RELATED Kids’ fashion site i-Dressup pays $35,000 to settle online privacy violations