Israeli cybersecurity firm Checkmarx says it has found “multiple security vulnerabilities” in a tablet for children by LeapFrog Enterprises, a developer of educational games.
Checkmarx informed LeapFrog about the security flaws and has already remedied them, the researchers said in a blog.
The researchers found the cybersecurity vulnerabilities in the LeapPad Ultimate tablet, which provides games, videos, e-books, and other school-readiness applications aimed at three to six-year-olds. The tablet doesn’t require Wi-Fi, keeping children protected from the internet, unlike other tablets which connect to a network.
“After testing the LeapPad Ultimate tablet, there were some serious issues our research team uncovered,” the blog said.
The first was that the location of those using the Pet Chat app installed in the tablet could be discovered on WIGLE, a website that is used for collecting data on different wireless hotspots around the world.
Pet Chat allows two or more users to talk to each other in a chat room, using their own pet avatars and some preset phrases and emoticons. Users can’t communicate with one another except via preset phrases. However, using WIGLE, the researchers were able to find the location of children using Pet Chat, because the app creates a Wi-Fi ad hoc connection that broadcasts to other compatible devices nearby.
“Anyone can identify the possible location of LeapPads using Pet Chat by finding them on public Wi-Fi or tracking their device’s MAC address,” the blog said.
In addition, Pet Chat does not require any authentication between a parent’s device and a child’s tablet. This means that any bystander within 100 feet of a LeapPad running the app can send a message to a tablet, impersonating a parent, and asking them to go out and play, using a preset phrase: “Let’s go! Play outside together.”
“It is easy to understand the potential implications of that type of activity,” said the blog.
The app was also vulnerable to hackers being able to access sensitive data, such as credit card information, name, email, gender, date of birth and address, because the outgoing traffic from the LeapPad was not encrypted, the blog said.
On June 27, Leapfrog confirmed the removal of the Pet Chat app from its stores, the blog said.
Meanwhile, the researchers warned LeapPad devices that are older than three years may still have Pet Chat installed. Parents are advised by Checkmarx to “manually uninstall or refrain from using the application.”
“We thank Checkmarx for bringing these security issues to our attention, as the safety of the children who use our products is a top priority. With the information they provided, we were able to take immediate actions to resolve the issues. Checkmarx has been helpful, ethical, and professional. Cooperating with them has benefited LeapFrog and our customers,” LeapFrog said, according to the blog.