Kaspersky researchers have discovered vulnerabilities in smart toy robots that could make children targets for cybercriminals.
This vulnerability allows hackers to control the robot system to video chat with children without parental consent. Not only that, the risks associated with the application of this robot system also open up other dangers, such as the child's personal information including name, gender, age and even geographic location can be stolen.
This is an Android-powered children's toy robot equipped with a camera and microphone, utilizing artificial intelligence to recognize and name children, automatically adjust responses based on the child's mood, and after a while, the robot will get to know the child. To fully exploit the robot's features, parents need to download the control application on their mobile devices. This application allows parents to monitor the child's learning process and even make video calls with the child through the robot.
Specifically, Kaspersky experts discovered a worrying security issue: the Application Programming Interface that requests child information lacks an authentication feature, while this is an important check to confirm who is allowed to access the user's network resources. This poses a risk that cybercriminals can intervene and steal many types of data, including the child's name, age, gender, country of residence and even IP address, by intercepting and analyzing the frequency of network access. This vulnerability allows the attacker to initiate a live video call with the child, completely bypassing the consent from the parent's account. If the child accepts the call, the attacker can secretly exchange secrets with the child without the parent's permission. In this case, the attacker can manipulate, lure the child out of the house or instruct the child to perform dangerous behaviors.
Furthermore, security issues with the app on a parent’s mobile device could allow an attacker to remotely control the robot and gain unauthorized access to the network. By using brute-force methods to recover OTP passwords, and the feature of unlimited failed login attempts, an attacker could remotely link the robot to his own account, thereby disabling the owner’s control of the device.
To ensure the safety of smart devices, Kaspersky experts have given the following advice:
• Regularly update your technology devices: Update the firmware programmed into your electronic device's hardware and the software for all connected devices, including smart toys. These updates often contain important security patches to fix vulnerabilities.
• Research products before buying: Check the manufacturer's security and privacy practices thoroughly before purchasing a smart toy or any connected device. Choose devices from reputable brands, preferably ones that focus on security and provide regular updates.
• Be careful with app permissions: Review and limit mobile apps' access to smart devices. Only grant access to features and data, and refrain from granting unnecessary privileges.
• Turn off the product when not in use: Turn off the smart toy when not in use to prevent data leakage. If the device has a microphone, store it in a hard-to-reach place, cover it, or point the camera away when not in use.
• Use a trusted security solution: Use a trusted security solution to help protect your entire smart device ecosystem.
“When buying smart toys, it is important not only to consider their entertainment and educational value, but also to consider their safety and security features. Therefore, parents should carefully read toy reviews, keep smart devices updated with the latest versions, and closely monitor their children’s play activities,” said Nikolay Frolov, senior security researcher at Kaspersky ICS CERT.
BINH LAM
Source
Comment (0)