Posted by Robert Vamosi on March 16, 2016
It’s a familiar story: A newly disclosed software flaw could allow a remote hacker to follow a user’s online activity, activate the in-built microphone, and take pictures using the front-facing camera on the device. The problem is in this case the device is a kid’s toy from LeapFrog.
In a blog, security researcher Mike McCarthy said the LeapPad Ultra comes bundled out of the box with a vulnerable version of Flash Player. The device is basically a mobile device browser designed to serve game and video content via a hard-coded remote web server. Unfortunately, the browser is vulnerable to attack.
“I assumed that LeapFrog would be smart enough to drop HTTP connections (from unknown IPs) where the client’s user-agent didn’t match the one on the LeapFrog,” McCarthy said. “It turns out I was giving them far too much credit for their effort – since the web page quite happily loaded without restriction.”
When he connected the device to his computer, he was asked update to the latest version of Flash. However, there is no auto-update feature, and you only need to hook it to a computer once. McCarthy said the initial Flash software on the tablet was 22.214.171.124 which contains a known critical “remote code execution” flaw. And if the parent doesn’t connect to a computer, they won’t get the updated version which contains several security fixes.
“This particular product only prompted me to update upon connecting it to my computer, something which many parents purchasing these devices may never do […] what this does highlight is a serious problem with manufacturers not enforcing compulsory updates on products – many of which will have been sitting on shelves for months.”
Perhaps this is much ado about nothing, but McCarthy has a point. “Can you imagine I’d searched for a persistent XSS vulnerability on that site? I’d be able to inject malicious code into the pages and exploit Adobe Flash, deliver a reverse connection back to my machine and have an international Sesame Street botnet operational within an hour.”
And it gets worse. The LeapUltra includes a front and a rear camera as well as a microphone. This could create serious privacy issues.
“Any malware exploiting these vulnerabilities would be able to gain full access to the device – allowing an attacker activate the built-in microphone, monitor your child’s activity and even take pictures of them using both the front and rear facing cameras on the device,” McCarthy said.
In response to the claims, a spokesperson for LeapFrog told IBTimes UK: “We would like to reassure you that LeapFrog takes the security of consumer information very seriously and have appropriate measures in place to ensure that any information we retain to provide a great experience for our products remains safe and secure. Consumer security and trust is of the upmost importance to us and we are looking into this as a matter of urgency.”
Get the latest AppSec news and trends sent directly to you.