Security Researchers Find 'Worst Case Scenario' in LeapFrog Kids Tablet

Researchers have found gaping security holes in LeapFrog’s LeapPad Ultimate Tablet for children that could let hackers determine a child’s location, send them messages, and steal sensitive information.

The tablets, which sell for around $80, are geared toward three-to-six-year-olds, and come pre-loaded with everything from game and flashcards, to read-along videos. Parents can also add more than 1,000 other games, eBooks, videos, music, and apps from LeapFrog’s Learning Library.

“The reason we chose LeapFrog is because we are looking at devices that may have hold more serious implications than others,” Erez Yalon, head of security research at security company Checkmarx tells Fortune.

Yalon’s team found several security holes, that if exploited together, could let hackers know a child’s name, age, and gender, where they live, and have the ability to send the child a message to come outside and play.

“We’re looking at the worst case scenario, but as a dad, I’d rather look at the worst case scenario,” Yalon says.

Pet Chat App Gives Away a Kids’ Location

Users of LeapFrog’s Pet Chat app, which lets kids use avatars to chat with other, was pitched as a safe and controlled environment for children. Users could only send a set of pre-loaded emojis and phrases rather than write original messages.

But hackers could have dug into the plumbing powering the Pet Chat app’s chat room. The app created a Wi-Fi connection using the identifier “Pet Chat”, which then broadcast to other compatible devices nearby while restricting access to the greater Internet.

A hacker could have found “Pet Chat” on Wi-Fi and track the MAC address, a unique identifier for networked devices. The hacker could then have visited WiGLE, a website that tracks global wireless hotspots and consolidates location information, to see where kids are using Pet Chat and when a device was last used.

After learning a child’s location, hackers could send them a preset phrase available through the device like “Let’s go!” and “play outside together.” They could then tempt a child to go outside, where the hacker could be waiting.

Stealing sensitive information that could be used against children

Additionally, Checkmarx discovered that hackers could launch phishing and man-in-the-middle attacks to steal information ranging from a kid’s name, gender, and birthday, to a parent’s credit card information, billing address, and phone number.

For example, hackers could spoof an existing Wi-Fi network and force devices on the original network to reconnect to the new, fraudulent one. Since traffic isn’t encrypted, Checkmarx was able to see parents’ and children’s private information when it tried out the hack.

After the devices were logged into the spoof network, Checkmarx was also able to create a fake portal that asked parents for information such as the last six digits of their credit cards on file.

Checkmarx brought the issues to LeapFrog’s attention in December, and said the company worked with it to quickly make changes. LeapFrog made the first fixes in February and then in June confirmed to Checkmarx that it would remove Pet Chat from its app store.

Mari Sunderland, vice preside of digital product management at LeapFrog, says “safety of the children who use our products is a top priority.”

“With the information they provided, we were able to take immediate actions to resolve the issues,” she says. There have been no reports of anyone exploiting these security holes.

As a parent, Yalon says he wouldn’t let these security problems deter him from buying LeapFrog’s tablet in the future, since the company quickly worked to fix the problems. However, he says he hopes the research will serve as a good reminder that there’s “no such thing as foolproof security,” even if a company tries to make its own safe browsers or portals away from the greater Internet.

“The least we can do is try to find [vulnerabilities] as soon as possible in the process, or if a product is already out, to make sure the company is responsive in fixing it,” he says.