LeapFrog LeapPad Ultimate Security Vulnerabilities

Protecting our children from the dangers on the internet is something all parents strive for and struggle with. When you find a toy that you think is safe, and will educate and entertain your child, you buy it. Right? That’s why parents bought and continue to buy LeapFrog’s LeapPad Ultimate. The Checkmarx Security Research Team recently considered how a cyber-attacker might approach attacking this type of device. Although it was designed to be safe overall, our researchers found multiple security vulnerabilities that were quite concerning. This type of research activity is part of our ongoing efforts to drive the necessary changes in software security practices among vendors that manufacture consumer-based IoT devices, while bringing more security awareness amid the consumers who use them. Protecting privacy of consumers, and especially children, must be a priority for all of us in today’s increasingly-connected world. At the end of this blog and in our technical report, we share how we disclosed this information to LeapFrog Enterprises and the fast action the company took to remediate these vulnerabilities. The seriousness LeapFrog demonstrated, and their lightning-fast responsiveness, deserves commendation.

LeapFrog’s LeapPad Ultimate Ready for School Tablet

The LeapPad Ultimate offers parents a worry-free option when it comes to getting their children access to a tablet that provides games, videos, eBooks, and other school-readiness applications. With just a few steps from an adult, you can get your 3 to 6-year-old children exploring all kinds of fun apps. They can personalize their user account with their name of course and maybe even a selfie. The LeapPad Ultimate tablet is rugged, doesn’t require Wi-Fi, and makes entertaining children in waiting-rooms or on long car trips a breeze. Best of all, the learning technology from LeapFrog keeps children challenged and engaged, while protecting them from the internet at large. A Kindle or iPad certainly offers plenty of apps, and even some access restrictions, but generally doesn’t provide the kind of insulation from the internet that many parents want for their young children. However, after testing the LeapPad Ultimate tablet, there were some serious issues our research team uncovered.

Finding LeapPads’ Location Using the Pet Chat App

Pet Chat is an app on LeapPad Ultimate that allows two or more users to talk to each other in a chat room, using their own pet avatars and some preset phrases and emoticons. Users can’t even communicate with one another except via preset phrases. Seems safe enough, right? Now, let’s take a look at WiGLE. WiGLE is a website for collecting information about the different wireless hotspots around the globe. It consolidates location and information of wireless networks–worldwide–and puts them in a central database. Using WiGLE, it’s simple to find locations of children using the Pet Chat application because Pet Chat creates a Wi-Fi Ad-Hoc connection that broadcasts to other compatible devices nearby using the SSID: PetChat. Anyone can identify the possible location of LeapPads using Pet Chat by finding them on public Wi-Fi or tracking their device’s MAC address. Below is an example of locating a Pet Chat user in London, United Kingdom using WiGLE. WiGLE shows the mapping, MAC address, and when a device was last scanned. Attackers could check for isolated homes where children are using Pet Chat and try to launch more attacks that we describe in this blog post.

Come Outside & Play

We discovered that the Pet Chat protocol does not require any authentication between a parent’s device and a child’s device. This means that any bystander within 100ft of a Leapfrog device running Pet Chat can send a message to a child’s device. It is easy to understand the potential implications of that type of activity. Below is an example of a preset phrase on Pet Chat:

Vulnerable to Man-in-the-Middle Attacks

WiFi-Pumpkin is a rogue access-point framework that allows attackers to spoof an existing Wi-Fi network, while forcing devices connected on the original network to switch to the newly created rogue network. Using WiFi-Pumpkin, we were surprised to see that the outgoing traffic from a LeapPad was not encrypted using HTTPS, but rather using the clear-text HTTP protocol—making it vulnerable to Man-in-the-Middle attacks. The traffic we observed from a LeapPad connected to a rogue WiFi-Pumpkin network could easily contain sensitive data, including:

• Credit Card info: Brand of the card (Visa, MasterCard, etc.), name on the card, credit card number - missing 6 digits, expiration date, billing address, and phone number
• Parent’s info: Email, name, account balance, and address
• Child’s info: Name, gender, birth year, and birth month

Vulnerable to LeapSearch-Portal Phishing Attacks

LeapFrog contains an app called LeapSearch—a “child-safe web browser that provides access to safe web content”. Taking advantage of the same man-in-the-middle technique described earlier, we were also able to modify the content of that “safe web” application. By injecting pieces of real data retrieved in the previous step, we created a “phishing version” of the LeapSearch portal which appears to be legit. We then manipulated the bogus portal, making it ask the user for additional sensitive information, such as filling in the missing 6 digits of the credit card on file. Watch the Proof of Concept here:

LeapFrog Resolved the Issues Quickly

The vulnerabilities we uncovered during this research would likely create worrying scenarios for parents, concerning their children’s usage of LeapPad. LeapFrog did take several measures to secure these tablets to protect children. However, just a few vulnerabilities can be combined to create some very harmful attack results. As a result of our research, LeapFrog responded to our report and confirmed that they had released fixes soon after they acknowledged our findings, and completely removed Pet Chat from stores.

Disclosure Timeline

29-Dec-2018: Sent the full report to LeapFrog. 18-Jan-2019: Conference call with LeapFrog's engineers and Products managers - asked for more details to better reproduce issues. 21-Jan-2019: Sent a detailed guide to reproduce issues. 01-Feb-2019: LeapFrog reported the release of the first wave of fixes. 21-Apr-2019: LeapFrog reported the removal of potentially troublesome phrases from Pet Chat. 27-Jun-2019: LeapFrog confirmed the removal of the Pet Chat app from stores.

Checkmarx Recommendation to LeapPad Owners

LeapPad devices that are older than three years may still have Pet Chat installed. Parents are advised by Checkmarx to manually uninstall or refrain from using the application.

LeapFrog’s Correspondence to Checkmarx

LeapFrog also shared the following comment from Mari Sunderland, VP of Digital Product Management at LeapFrog Enterprises: “We thank Checkmarx for bringing these security issues to our attention, as the safety of the children who use our products is a top priority. With the information they provided, we were able to take immediate actions to resolve the issues. Checkmarx has been helpful, ethical, and professional.  Cooperating with them has benefitted LeapFrog and our customers.”

Checkmarx Research Team’s Mission

Discovering vulnerabilities like the ones mentioned above is why Checkmarx performs research. Checkmarx is committed to helping organizations build more-secure software. Our Software Security Platform helps developers and security teams find and fix vulnerabilities in the software they develop. Plus, we offer solutions that train an organization’s developers to be increasingly aware of software vulnerabilities in code that could result in successful cyberattacks. We have a responsibility to build software security into everything we deliver. Read the complete report here.