‘Kid Safe’ tablet LeapPad open to attack via Adobe Flash vulnerabilities
Thu 10 Mar 2016
LeapFrog’s popular children’s tablet LeapPad is susceptible to a variety of attacks that exploit Adobe Flash vulnerabilities, according to security expert Mark Carthy.
The researcher explained in a blog post yesterday how he recently purchased the toy after learning that LeapFrog had recently been acquired by VTech – which is still recovering from last year’s hack which compromised the personal data of millions of families and children.
Carthy noted how two Nmap scans had disappointingly delivered nothing of interest, except that the LeapPad responded to ICMP Echo requests. Giving up hope, he then discovered an application on the machine similar to a web browser which hosts video and gaming content via a remote server.
Having actioned an ARP cache poisoning attack, Carthy was able to reroute the traffic via his laptop and connected it to the internet. Next, he filtered the traffic by source address and protocol to obtain an IP address for an AWS server. The address loaded onto his laptop ‘quite happily’ and ‘without restriction.’
From here, Carthy focused on how the video content was being served on the application: ‘Within minutes I had the box wired into my machine. Upon plugging it in I was prompted to download an application called LeapFrog Connect – which once installed asked me to update Adobe Flash from the current version, which I discovered to be 22.214.171.124.’
This version of Adobe Flash contains a well-known vulnerability which could allow attackers to install malicious code onto the device. While the LeapPad prompted the update, this only happened with the machine hooked up to Carthy’s computer – a step which parents and consumers cannot be expected to take.
Carthy detailed the numerous security risks related to the failing: ‘Any malware exploiting these vulnerabilities would be able to gain full access to the device – allowing an attacker [to] activate the built-in microphone, monitor your child’s activity and even take pictures of them using both the front and rear facing cameras on the device.’
Finishing his post with a recommendation to LeapFrog, Carthy advised that the company tightens up their content server with mandatory authentication, enforces compulsory updates upon initial device configuration, and gets rid of Adobe Flash for video content.