Popular smart toys for children have been found to be vulnerable to attackers. Kaspersky Lab has discovered a number of weaknesses in the software of a popular gadget. By hacking such a robot, attackers could gain the ability to communicate with a child without the knowledge of his or her parents, to spy on and eavesdrop on him or her and on what is happening in the house or apartment. In addition, the robot could also help leak personal data, from the address where the child lives to the e-mails, phone numbers and other data of his or her parents.
The gadget's Android-based manufacturers have already been notified of the security issues and have eliminated them. However, they are not the only manufacturers of smart toys that may pose a threat to their owners.
Smart Robot Vulnerabilities
Before using the robot that was investigated at Kaspersky Lab, it was necessary to link it to an adult account via a special application on a smartphone. When the toy was first turned on, it asked to select a Wi-Fi network, link the robot to the parent's mobile device, and enter the child's name and age.
This data was transmitted over HTTP in cleartext. Using software to analyze network traffic, it could be intercepted from the outside. At the same time, the HTTP protocol was used until the robot's firmware was updated to the current version, after the update HTTPS began to be used.
Experts also studied some network requests and saw that one of them returns an API access token based on the following authentication data: username, password, and key. Moreover, this happened even if the request contained a deliberately incorrect password from an arbitrary set of characters.
The next network request returned configuration parameters for a specific robot by a unique identifier consisting of nine characters. But, since this set of characters was short and predictable, potential attackers could quickly pick it up and, as a result, get information about the toy's owner, including IP address, country of residence, name, gender and age of the child, and, with the help of another request, the e-mail address, phone number of the adult and the code to link his mobile device to the robot.
Security experts also found that there were no security checks when making video calls. This means that attackers could potentially call children without authorization from a parent's account and without the knowledge of adults.
The method of controlling the robot also turned out to be weak. You could pick a password an unlimited number of times, and easily, and when picking it, an attacker could potentially remotely link the robot to his account instead of the parent's account.
How to Secure Your Smart Devices and Smart Toys
Kaspersky Lab recommends that before buying a device, you study information about it and its developer and trust only trusted manufacturers in the market. It is advisable to look at and read not only reviews, but also to familiarize yourself with detailed reviews and research on the security of the gadget or toy.
After purchasing the device, you must:
- view and restrict the permissions granted to mobile applications for device management;
- regularly update the firmware and software of all connected devices - updates often contain important security fixes that eliminate known vulnerabilities;
- ensure the security of mobile devices through which smart gadgets are managed, using a reliable security solution;
- to avoid spying and eavesdropping with smart devices, turn them off when not in use. You should also close the built-in camera with a special curtain or glue it with a sticker.
In addition, security experts recommend that parents who have bought such smart toys for their children should watch them while interacting with gadgets.
