Protecting our children from the dangers on the internet is something all parents strive for and struggle with. When you find a toy that you think is safe, and will educate and entertain your child, you buy it. Right? That’s why parents bought and continue to buy LeapFrog’s LeapPad Ultimate.
The Checkmarx Security Research Team recently considered how a cyber-attacker might approach attacking this type of device. Although it was designed to be safe overall, our researchers found multiple security vulnerabilities that were quite concerning. This type of research activity is part of our ongoing efforts to drive the necessary changes in software security practices among vendors that manufacture consumer-based IoT devices, while bringing more security awareness amid the consumers who use them. Protecting privacy of consumers, and especially children, must be a priority for all of us in today’s increasingly-connected world.
At the end of this blog and in our technical report, we share how we disclosed this information to LeapFrog Enterprises and the fast action the company took to remediate these vulnerabilities. The seriousness LeapFrog demonstrated, and their lightning-fast responsiveness, deserves commendation.
The LeapPad Ultimate tablet is rugged, doesn’t require Wi-Fi, and makes entertaining children in waiting-rooms or on long car trips a breeze. Best of all, the learning technology from LeapFrog keeps children challenged and engaged, while protecting them from the internet at large. A Kindle or iPad certainly offers plenty of apps, and even some access restrictions, but generally doesn’t provide the kind of insulation from the internet that many parents want for their young children. However, after testing the LeapPad Ultimate tablet, there were some serious issues our research team uncovered.
WiGLE shows the mapping, MAC address, and when a device was last scanned. Attackers could check for isolated homes where children are using Pet Chat and try to launch more attacks that we describe in this blog post.
Watch the Proof of Concept here:
LeapFrog’s LeapPad Ultimate Ready for School Tablet
The LeapPad Ultimate offers parents a worry-free option when it comes to getting their children access to a tablet that provides games, videos, eBooks, and other school-readiness applications. With just a few steps from an adult, you can get your 3 to 6-year-old children exploring all kinds of fun apps. They can personalize their user account with their name of course and maybe even a selfie.
Finding LeapPads’ Location Using the Pet Chat App
Pet Chat is an app on LeapPad Ultimate that allows two or more users to talk to each other in a chat room, using their own pet avatars and some preset phrases and emoticons. Users can’t even communicate with one another except via preset phrases. Seems safe enough, right? Now, let’s take a look at WiGLE. WiGLE is a website for collecting information about the different wireless hotspots around the globe. It consolidates location and information of wireless networks–worldwide–and puts them in a central database. Using WiGLE, it’s simple to find locations of children using the Pet Chat application because Pet Chat creates a Wi-Fi Ad-Hoc connection that broadcasts to other compatible devices nearby using the SSID: PetChat. Anyone can identify the possible location of LeapPads using Pet Chat by finding them on public Wi-Fi or tracking their device’s MAC address. Below is an example of locating a Pet Chat user in London, United Kingdom using WiGLE.
Come Outside & Play
We discovered that the Pet Chat protocol does not require any authentication between a parent’s device and a child’s device. This means that any bystander within 100ft of a Leapfrog device running Pet Chat can send a message to a child’s device. It is easy to understand the potential implications of that type of activity. Below is an example of a preset phrase on Pet Chat:
Vulnerable to Man-in-the-Middle Attacks
WiFi-Pumpkin is a rogue access-point framework that allows attackers to spoof an existing Wi-Fi network, while forcing devices connected on the original network to switch to the newly created rogue network. Using WiFi-Pumpkin, we were surprised to see that the outgoing traffic from a LeapPad was not encrypted using HTTPS, but rather using the clear-text HTTP protocol—making it vulnerable to Man-in-the-Middle attacks. The traffic we observed from a LeapPad connected to a rogue WiFi-Pumpkin network could easily contain sensitive data, including:- Credit Card info: Brand of the card (Visa, MasterCard, etc.), name on the card, credit card number - missing 6 digits, expiration date, billing address, and phone number
- Parent’s info: Email, name, account balance, and address
- Child’s info: Name, gender, birth year, and birth month
Vulnerable to LeapSearch-Portal Phishing Attacks
LeapFrog contains an app called LeapSearch—a “child-safe web browser that provides access to safe web content”. Taking advantage of the same man-in-the-middle technique described earlier, we were also able to modify the content of that “safe web” application. By injecting pieces of real data retrieved in the previous step, we created a “phishing version” of the LeapSearch portal which appears to be legit. We then manipulated the bogus portal, making it ask the user for additional sensitive information, such as filling in the missing 6 digits of the credit card on file.