A popular children's toy made by LeapFrog is susceptible to a variety of attacks that leverage Adobe Flash vulnerabilities.
Security expert Mike Carthy explains in a blog post how he probed a LeapFrog LeapPad ULTRA that he recently purchased at a toy store.
Carthy admits that it was his original intention to go out and buy a Hello Barbie, a Wi-Fi-connected iteration of the popular doll that suffers from its own security issues.
But when he learned that LeapFrog had recently been acquired by VTech, which is still presumably working to harden its security following a hack late last year, the security expert couldn't contain his excitement.
Things started off slow. Two Nmap scans yielded nothing except the fact that the device responded to ICMP Echo requests.
Right when he thought playtime was over, Carthy recalled that the tablet had an application that resembles a web browser. This web browser consisted of a single page that delivers video and gaming content via a remote server.
One ARP cache poisoning attack campaign later, the security expert had obtained the IP address to an AWS server. To his surprise, when he attempted to load up the address on his laptop, it proceeded to do so without so much as a hiccup.
At that point, Carthy turned his attention to how the video content was being served up on the page:
"Within minutes I had the box wired into my machine. Upon plugging it in I was prompted to download an application called LeapFrog Connect – which once installed asked me to update Adobe Flash from the current version, which I discovered to be 18.104.22.168."
This version contains a well known vulnerability that could allow an attacker to execute arbitrary code on a machine.
To LeapFrog's credit, the LeapPad made the update mandatory for Carthy to continue using the Connect application. But this happened only after he had connected the toy to his computer - something which other parents might never do.
The security risks that ensue from that oversight are scary, to be sure:
"Any malware exploiting these vulnerabilities would be able to gain full access to the device – allowing an attacker activate the built-in microphone, monitor your child’s activity and even take pictures of them using both the front and rear facing cameras on the device."
Clearly, LeapFrog has a long way to go towards protecting its products.
Carthy recommends that the company institute mandatory updates upon initial device configuration and replace Adobe Flash with HTML 5. We can only hope that other toy companies would then follow LeapFrog's example. They owe it to their customers and to their target audience - kids - to make sure their products are as safe as can be.