23:26
12:28
12:28
09:03
09:03
15:41
23:26
12:28
12:28
09:03
09:03
15:41
23:26
12:28
12:28
09:03
09:03
15:41
23:26
12:28
12:28
09:03
09:03
15:41
Vulnerabilities in a popular smart robot toy could turn children into a potential target for cybercriminals, Kaspersky researchers have revealed.
The weaknesses could enable hackers to gain control of the toy's system and use it to secretly communicate with children via video chat without parental consent. Risks associated with the robotic system include the danger of compromising sensitive data such as users' names, gender, age and even location.
The Android-based robot, designed for children, has a built-in video camera and microphone. It uses artificial intelligence to recognize and interact with children by name and adjust its reactions depending on the child's mood, gradually getting to know them over time. To unlock the full potential of the toy, parents need to download an app on their mobile device. With the app, parents can track their child's learning progress and even initiate a video call with them through the robot.
During the initial setup, parents are invited to connect the toy to a Wi-Fi network, pair it with a mobile device, and then specify the child's name and age. At this stage, Kaspersky experts discovered a security issue: the responsible API (Application Programming Interface) for requesting this information lacks authentication, a step that confirms who can access network resources. This potentially allows attackers to intercept and access various types of data - including a child's name, age, gender, country of residence, and even IP address - by intercepting and analyzing network traffic.
Moreover, this flaw allows attackers to use the robot's camera and microphone to initiate direct calls to users, bypassing the necessary authorization from the guardians' account. If the child accepts the call, the attacker can conduct covert communication without parental consent. In such cases, the attacker can manipulate the user by luring them out of their safe home or inducing them to engage in risky behavior.
In addition, security issues with the parent mobile app could allow an attacker to remotely gain control of the robot and unauthorized access to the network. Using a brute force method to recover a six-digit one-time password (OTP) and with no limit on failed attempts, an attacker could remotely bind the robot to its account, effectively taking the device out of the control of its owner.
When purchasing smart toys, it becomes imperative to prioritize not only their entertainment and educational value but also their safety and security features. Despite the common belief that a higher price tag implies enhanced security, it is essential to understand that even the most expensive smart toys may not be immune to vulnerabilities that attackers can exploit. Hence, parents must carefully examine toy reviews, remain vigilant about updating smart device software, and closely supervise their child's activities during playtime,
states Nikolay Frolov, senior security researcher at Kaspersky’s ICS CERT.
To keep all smart devices, secure and protected, Kaspersky experts compiled the following tips: