An Android-based robot designed for kids is equipped with a built-in video camera and microphone. It harnesses artificial intelligence to recognize and interact with children by name and to adjust its responses based on the child’s mood, gradually getting acquainted with them over time. To unlock the full potential of the toy, parents are required to download the application to their mobile device. Through this app, parents can track the child's progress with their learning activities and even initiate a video call with the child via the robot.
During initial setup, parents are instructed to connect the toy to a Wi-Fi network, link it to their mobile device, then provide the child’s name and age. During this phase, Kaspersky experts have uncovered a concerning security issue: the responsible API (Application Programming Interface) for requesting this information lacks authentication enforcement, a step that confirms who can access your network resources. This potentially allows cybercriminals to intercept and access various types of data – including the child’s name, age, gender, country of residence, and even their IP address – by intercepting and analyzing the network traffic. What’s more, this flaw enables cybercriminals to exploit the robot’s camera and microphone, initiating direct calls to users, bypassing the required authorization from the guardians’ account. If a child accepts this call, an attacker can communicate covertly, without parents’ consent. In such cases, the attacker could manipulate the user, potentially luring them out of the safety of their home or influencing them into engaging in risky behaviors.
Furthermore, security issues of the parent’s mobile application may enable an attacker to remotely take control over the robot and gain unauthorized access to the network. Using brute-force methods to recover the six-digit one time-password (OTP), and with no enforced limit on failed attempts, an attacker could remotely link the robot to his own account, effectively taking the device out of its owner’s control.
‘When purchasing smart toys, it becomes imperative to prioritize not only their entertainment and educational value but also their safety and security features. Despite the common belief that a higher price tag implies enhanced security, it is essential to understand that even the most expensive smart toys may not be immune to vulnerabilities that attackers can exploit. Hence, parents must carefully examine toy reviews, remain vigilant about updating smart device software, and closely supervise their child's activities during playtime,’ comments Nikolay Frolov, senior security researcher at Kaspersky’s ICS CERT.
The findings from the team's thorough research were presented during the panel session titled 'Empowering the Vulnerable in the Digital Environment' at Mobile World Congress (MWC) 2024.
The Kaspersky team reported all the vulnerabilities they discovered to the vendor, who promptly patched them.
Learn more on Securelist.com.
To keep all smart devices, secure and protected, Kaspersky experts compiled the following tips:
We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.