Vulnerabilities in smart toys could let cybercriminals video chat with kids

Vulnerabilities in a popular smart robot toy could turn children into a potential target for cybercriminals, Kaspersky researchers have revealed.

The weaknesses could enable hackers to gain control of the toy's system and use it to secretly communicate with children via video chat without parental consent. Risks associated with the robotic system include the danger of compromising sensitive data such as users' names, gender, age and even location.

The Android-based robot, designed for children, has a built-in video camera and microphone. It uses artificial intelligence to recognize and interact with children by name and adjust its reactions depending on the child's mood, gradually getting to know them over time. To unlock the full potential of the toy, parents need to download an app on their mobile device. With the app, parents can track their child's learning progress and even initiate a video call with them through the robot.

During the initial setup, parents are invited to connect the toy to a Wi-Fi network, pair it with a mobile device, and then specify the child's name and age. At this stage, Kaspersky experts discovered a security issue: the responsible API (Application Programming Interface) for requesting this information lacks authentication, a step that confirms who can access network resources. This potentially allows attackers to intercept and access various types of data - including a child's name, age, gender, country of residence, and even IP address - by intercepting and analyzing network traffic.

Moreover, this flaw allows attackers to use the robot's camera and microphone to initiate direct calls to users, bypassing the necessary authorization from the guardians' account. If the child accepts the call, the attacker can conduct covert communication without parental consent. In such cases, the attacker can manipulate the user by luring them out of their safe home or inducing them to engage in risky behavior.

In addition, security issues with the parent mobile app could allow an attacker to remotely gain control of the robot and unauthorized access to the network. Using a brute force method to recover a six-digit one-time password (OTP) and with no limit on failed attempts, an attacker could remotely bind the robot to its account, effectively taking the device out of the control of its owner.

When purchasing smart toys, it becomes imperative to prioritize not only their entertainment and educational value but also their safety and security features. Despite the common belief that a higher price tag implies enhanced security, it is essential to understand that even the most expensive smart toys may not be immune to vulnerabilities that attackers can exploit. Hence, parents must carefully examine toy reviews, remain vigilant about updating smart device software, and closely supervise their child's activities during playtime,

states Nikolay Frolov, senior security researcher at Kaspersky’s ICS CERT.

To keep all smart devices, secure and protected, Kaspersky experts compiled the following tips:

• Keep your devices updated: Regularly update the firmware and software of all your connected devices, including smart toys. These updates often contain crucial security patches that address known vulnerabilities.
• Research before purchase: Before buying a smart toy or any connected device, research the manufacturer's reputation for security and privacy. Choose devices from reputable brands that prioritize security and provide regular updates.
• Be cautious with app permissions: Review and limit the permissions granted to mobile apps associated with your smart device. Only provide necessary access to features and data, and avoid granting excessive privileges.
• Power it off when not used: Switch off the smart toy when not in use to prevent data collection. If the device has a microphone, store it in a hard-to-reach place when not active, and cover or redirect any cameras when not in use.
• Use reliable security solutions: Employ a dependable security solution to help secure and protect your entire smart home ecosystem.