Kaspersky discovered that a popular smart toy robot had vulnerabilities that could make children potential targets for cybercriminals.
The vulnerabilities found in the toy’s system could allow hackers to gain control over it and use it to communicate with children through video chat without their parent’s knowledge or consent. These risks also extend to the possibility of sensitive information such as the users’ names, genders, ages, and locations being compromised.
An Android-based robot designed for kids comes equipped with a built-in video camera and microphone. By harnessing the power of artificial intelligence, the robot can recognize and interact with children by name, adjust its responses based on the child’s mood, and gradually get to know them over time. Parents must download the app to their mobile devices to unlock the full potential of the toy. Through the app, parents can monitor their child’s progress with the learning activities and even initiate a video call with their child via the robot.
During setup, parents connect the toy to Wi-Fi, link it to their device, and provide the child’s name and age. However, Kaspersky experts have discovered that the API (Application Programming Interface) requesting this info lacks authentication enforcement, potentially allowing cybercriminals to intercept data, including the child’s name, age, gender, country of residence, and IP address.
The flaw in the robot’s security also allows cybercriminals to exploit its camera and microphone, bypassing the authorization process. Attackers can then initiate direct calls to users, potentially manipulating them into engaging in risky behaviors.
Even worse, security issues with the parent’s mobile app could allow attackers to take control of the robot and gain unauthorized access to the network by brute-forcing the six-digit one-time password (OTP) with no limit on failed attempts.
“Despite the common belief that a higher price tag implies enhanced security, it is essential to understand that even the most expensive smart toys may not be immune to vulnerabilities that attackers can exploit. Hence, parents must carefully examine toy reviews, remain vigilant about updating smart device software, and closely supervise their child’s activities during playtime,” shared Nikolay Frolov, a senior security researcher at Kaspersky’s ICS CERT.
To keep all smart devices secure and protected, Kaspersky experts compiled the following tips:
- Keep your devices updated: Regularly update the firmware and software of all your connected devices, including smart toys. These updates often contain crucial security patches that address known vulnerabilities.
- Research before purchase: Before buying a smart toy or any connected device, research the manufacturer’s reputation for security and privacy. Choose devices from reputable brands that prioritize security and provide regular updates.
- Be cautious with app permissions: Review and limit the permissions granted to mobile apps associated with your smart device. Only provide necessary access to features and data, and avoid granting excessive privileges.
- Power it off when not used: To prevent data collection, switch off the smart toy when not in use. If the device has a microphone, store it in a hard-to-reach place when inactive and cover or redirect any cameras when not in use.
- Use reliable security solutions: Employ a dependable security solution to help secure and protect your entire smart home ecosystem.
The Kaspersky team promptly reported all vulnerabilities to the vendor, who quickly patched them. Go to Securelist.com to learn more.
Leave a comment