LeapFrog child’s toy found susceptible to attacks leveraging Adobe Flash

Researcher found it child’s play to identify potential weakness in Wi-Fi enabled toy.

David bisson
David Bisson
@
@DMBisson

LeapFrog child's toy found susceptible to attacks leveraging Adobe Flash

A popular children’s toy made by LeapFrog is susceptible to a variety of attacks that leverage Adobe Flash vulnerabilities.

Security expert Mike Carthy explains in a blog post how he probed a LeapFrog LeapPad ULTRA that he recently purchased at a toy store.

Carthy admits that it was his original intention to go out and buy a Hello Barbie, a Wi-Fi-connected iteration of the popular doll that suffers from its own security issues.

Sign up to our free newsletter.
Security news, advice, and tips.

But when he learned that LeapFrog had recently been acquired by VTech, which is still presumably working to harden its security following a hack late last year, the security expert couldn’t contain his excitement.

Mike Carthy with Leapfrog toy

Things started off slow. Two Nmap scans yielded nothing except the fact that the device responded to ICMP Echo requests.

Right when he thought playtime was over, Carthy recalled that the tablet had an application that resembles a web browser. This web browser consisted of a single page that delivers video and gaming content via a remote server.

One ARP cache poisoning attack campaign later, the security expert had obtained the IP address to an AWS server. To his surprise, when he attempted to load up the address on his laptop, it proceeded to do so without so much as a hiccup.

Leapfrog browsing

At that point, Carthy turned his attention to how the video content was being served up on the page:

“Within minutes I had the box wired into my machine. Upon plugging it in I was prompted to download an application called LeapFrog Connect – which once installed asked me to update Adobe Flash from the current version, which I discovered to be 19.0.0.185.”

This version contains a well known vulnerability that could allow an attacker to execute arbitrary code on a machine.

Leapfrog flash

To LeapFrog’s credit, the LeapPad made the update mandatory for Carthy to continue using the Connect application. But this happened only after he had connected the toy to his computer – something which other parents might never do.

The security risks that ensue from that oversight are scary, to be sure:

“Any malware exploiting these vulnerabilities would be able to gain full access to the device – allowing an attacker activate the built-in microphone, monitor your child’s activity and even take pictures of them using both the front and rear facing cameras on the device.”

Clearly, LeapFrog has a long way to go towards protecting its products.

Carthy recommends that the company institute mandatory updates upon initial device configuration and replace Adobe Flash with HTML 5. We can only hope that other toy companies would then follow LeapFrog’s example. They owe it to their customers and to their target audience – kids – to make sure their products are as safe as can be.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

3 comments on “LeapFrog child’s toy found susceptible to attacks leveraging Adobe Flash”

  1. coyote

    'They owe it to their customers and to their target audience – kids – to make sure their products are as safe as can be.'

    Yes. But I would say if they truly were to do that they wouldn't be meddling with the IoT in the first place. Do toys for children really need to be connected to the Internet? Not if you're reasonable.

  2. Jim

    I'm so tired of security "experts" bashing companies for something they "should" have done. It's hindsight. There's nothing they can do to update a device that's not connected to the network, now is there? The author acts like LeapFrog should just know this and somehow magically fix it so he can look all-seeing. Knock it off. This isn't a "tip" or a "find". It's a cheap shot.

    1. Graham CluleyGraham Cluley · in reply to Jim

      Hi Joe

      LeapFrogs are connected to networks via Wi-Fi. If you're having trouble connecting your LeapFrog, here is the FAQ from LeapFrog.

      http://www.leapfrog.com/en-us/support/products/leappad-ultra/wifi

      So, we weren't making a cheap shot. :)

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.