Several vulnerabilities have been found in apps available for Leapfrog’s LeapPad children’s tablets that can be exploited to locate kids, interact with them or phish for parental information. The tablets themselves do not use the HTTPS protocol, which means information sent from the tablet is not encrypted and exposes the tablet to packet sniffing. The flaws were found on the LeapPad Ultimate tablets that were specifically created to shield from the dangers of the internet. The primary flaw found is with the app called Pet Chat, which allows children to talk to one another in a chat room using preset phrases and emoticons. The app also creates an ad hoc WiFi network that broadcasts its proximity using the SSID “Pet Chat.” Anyone who happens to be scanning for open WiFi signals and uploads them to WiGLE–a wireless network mapping site–can collect details on the device. With the non-encrypted nature of the LeapPad, this leaves the Pet Chat app open for attackers to intercept the messages and perform a Man-in-the-Middle attack (MitM), as well as steal the parent’s credit card info, email, name, address and the details on the child that uses the tablet. Using the MitM attack, an attacker could potentially communicate directly with the child to attempt to get the child to give even more information.
Analyst Notes
While LeapFrog was quick to solve these issues and remove Pet Chat from its stores, the app may still be available on older tablets. Parents are recommended to check for the app and manually remove it if it’s found.
