Vulnerabilities in LeapFrog tablet could expose user info and location

7 Aug 2019

Image: © New Africa/Stock.adobe.com

LeapFrog removed one of its apps after it was revealed it contained vulnerabilities that could impact child safety.

Researchers from cybersecurity company Checkmarx released a report this morning (7 August), which outlined serious vulnerabilities in LeapFrog’s LeapPad Ultimate that could be used to determine a child’s location or send them messages.

The LeapPad Ultimate is a tablet aimed at children aged three to six. The tablet currently retails for €110 in Ireland and comes preloaded with games, flashcards and read-along videos. The tablet also features a camera for selfies and a library where parents can download more content for the tablet.

Head of security research at Checkmarx, Erez Yalon, told Fortune: “The reason we chose LeapFrog is because we are looking at devices that may hold more serious implications than others.”

Checkmarx said that the device was “designed to be safe, overall”, but noted that its team found some concerning vulnerabilities. Yalon added: “We’re looking at the worst-case scenario but, as a dad, I’d rather look at the worst-case scenario.”

Location

In its report, Checkmarx said: “Pet Chat is an app on LeapPad Ultimate that allows two or more users to talk to each other in a chat room, using their own pet avatars and some pre-set phrases and emoticons. Users can’t even communicate with one another except via pre-set phrases. Seems safe enough, right?”

The cybersecurity firm explained that there is a website called Wigle, which collects information about different wireless hotspots around the globe.

“Using Wigle, it’s simple to find locations of children using the Pet Chat application, because Pet Chat creates a Wi-Fi ad-hoc connection that broadcasts to other compatible devices nearby using the SSID PetChat,” Checkmarx said.

“Anyone can identify the possible location of LeapPads using Pet Chat by finding them on public Wi-Fi or tracking their device’s MAC [media access control] address.”

Personal information

Checkmarx also discovered that the Pet Chat protocol does not require any authentication between a parent’s device and a child’s device, which allows any bystander within 100ft of a LeapFrog device running Pet Chat to send a message to a child’s device.

The cybersecurity company discovered that the outgoing traffic from a LeapPad was not encrypted using HTTPS, but clear-text HTTP protocol.

This makes the device vulnerable to ‘man-in-the-middle’ attacks. Checkmarx discovered that sensitive data could be observed by an outsider, including credit card information, billing addresses, names on the credit cards and phone numbers associated with the billing details.

It could also see the parent’s email address, name, account balance and address, as well as the child’s name, gender, birth year and birth month. Checkmarx added that, with a man-in-the-middle attack, the child-safe web browser on the device could be modified.

LeapFrog’s response

After Checkmarx released its research, LeapFrog took a number of measures to resolve these issues and secure the tablets to protect users, according to the cybersecurity firm.

The vulnerabilities were brought to LeapFrog’s attention in December and the first fixes were made in February. In June, LeapFrog decided to remove Pet Chat from the app store entirely.

In a statement, Mari Sunderland, vice-president of digital product management at LeapFrog Enterprises, said: “We thank Checkmarx for bringing these security issues to our attention, as the safety of the children who use our products is a top priority.

“With the information they provided, we were able to take immediate actions to resolve the issues. Checkmarx has been helpful, ethical and professional. Cooperating with them has benefitted LeapFrog and our customers.”

LeapFrog assured parents: “No action is required, and we would always recommend parents to monitor who their children play with in the cyberworld.”

Kelly Earley was a journalist with Silicon Republic

editorial@siliconrepublic.com