LeapFrog child's toy found susceptible to attacks leveraging Adobe Flash

Researcher found it child’s play to identify potential weakness in Wi-Fi enabled toy.

LeapFrog child's toy found susceptible to attacks leveraging Adobe Flash

A popular children's toy made by LeapFrog is susceptible to a variety of attacks that leverage Adobe Flash vulnerabilities.

Security expert Mike Carthy explains in a blog post how he probed a LeapFrog LeapPad ULTRA that he recently purchased at a toy store.

Carthy admits that it was his original intention to go out and buy a Hello Barbie, a Wi-Fi-connected iteration of the popular doll that suffers from its own security issues.

But when he learned that LeapFrog had recently been acquired by VTech, which is still presumably working to harden its security following a hack late last year, the security expert couldn't contain his excitement.

Mike Carthy with Leapfrog toy

Things started off slow. Two Nmap scans yielded nothing except the fact that the device responded to ICMP Echo requests.

Right when he thought playtime was over, Carthy recalled that the tablet had an application that resembles a web browser. This web browser consisted of a single page that delivers video and gaming content via a remote server.

One ARP cache poisoning attack campaign later, the security expert had obtained the IP address to an AWS server. To his surprise, when he attempted to load up the address on his laptop, it proceeded to do so without so much as a hiccup.

Leapfrog browsing

At that point, Carthy turned his attention to how the video content was being served up on the page:

"Within minutes I had the box wired into my machine. Upon plugging it in I was prompted to download an application called LeapFrog Connect – which once installed asked me to update Adobe Flash from the current version, which I discovered to be 19.0.0.185."

This version contains a well known vulnerability that could allow an attacker to execute arbitrary code on a machine.

Leapfrog flash

To LeapFrog's credit, the LeapPad made the update mandatory for Carthy to continue using the Connect application. But this happened only after he had connected the toy to his computer - something which other parents might never do.

The security risks that ensue from that oversight are scary, to be sure:

"Any malware exploiting these vulnerabilities would be able to gain full access to the device – allowing an attacker activate the built-in microphone, monitor your child’s activity and even take pictures of them using both the front and rear facing cameras on the device."

Clearly, LeapFrog has a long way to go towards protecting its products.

Carthy recommends that the company institute mandatory updates upon initial device configuration and replace Adobe Flash with HTML 5. We can only hope that other toy companies would then follow LeapFrog's example. They owe it to their customers and to their target audience - kids - to make sure their products are as safe as can be.

Tags: , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , ,

One Response

  1. coyote

    March 10, 2016 at 1:33 am #

    'They owe it to their customers and to their target audience – kids – to make sure their products are as safe as can be.'

    Yes. But I would say if they truly were to do that they wouldn't be meddling with the IoT in the first place. Do toys for children really need to be connected to the Internet? Not if you're reasonable.

Leave a Reply