Popular smart robots for children have been found to be vulnerable to attackers. Kaspersky Lab has discovered a number of weaknesses in the software of a popular gadget. By hacking such a robot, attackers could gain the ability to communicate with a child without the knowledge of his or her parents, spy on and eavesdrop on him or her and what is happening in the house or apartment. In addition, the robot could also help leak personal data: from the address where the child lives to e-mails, phone numbers and other data of his or her parents.
The manufacturers of the Android-based gadget have already been notified of the security issues and have eliminated them. However, they are not the only manufacturers of smart toys that may pose a threat to their owners.
Vulnerabilities of a smart robot
Before using the robot, which was investigated at Kaspersky Lab, it was necessary to link it to an adult account via a special application on a smartphone. When turned on for the first time, the toy asked to select a Wi-Fi network, link the robot to the parent's mobile device, and enter the child's name and age.
This data was transmitted over HTTP in clear text. Using software to analyze network traffic, it could be intercepted from the outside. At the same time, the HTTP protocol was used until the robot's firmware was updated to the current version, after the update HTTPS began to be used.
Experts also studied some network requests and saw that one of them returns an API access token based on the following authentication data: username, password and key. Moreover, this happened even if the request contained a deliberately incorrect password from an arbitrary set of characters.
The next network request returned configuration parameters for a specific robot by a unique identifier consisting of nine characters. But, since this set of characters was short and predictable, potential attackers could quickly pick it up and, as a result, obtain information about the owner of the toy, including IP address, country of residence, name, gender and age of the child, and, using another request, the e-mail address, phone number of the adult and the code for linking his mobile device to the robot.
Security experts also found that there were no security checks when making video calls. This means that attackers could potentially call children without authorization from a parent's account and without the knowledge of adults.
The method of controlling the robot also turned out to be weak. It was possible to guess the password an unlimited number of times, and easily, and when guessing, an attacker could potentially remotely link the robot to his account instead of the parent's account.
How to secure your smart devices and smart toys
Kaspersky Lab recommends studying information about the device and its developer before purchasing it, and trusting only trusted manufacturers in the market. It is advisable to look at and read not only reviews, but also to familiarize yourself with detailed reviews and security studies of the gadget or toy.
After purchasing the device, you must:
- view and restrict the permissions granted to mobile applications for device management;
- regularly update the firmware and software of all connected devices - updates often contain important security fixes that eliminate known vulnerabilities;
- ensure the security of mobile devices through which smart gadgets are managed, using a reliable security solution;
- to avoid spying and eavesdropping with smart devices, turn them off when not in use. You should also close the built-in camera with a special curtain or stick a sticker over it.
In addition, security experts recommend that parents who have purchased such smart toys for their children supervise them while interacting with gadgets.
