This vulnerability allows hackers to control the robot system to video chat with children without parental consent. Not only that, the risks associated with the application of this robot system also open up other dangers, such as the personal information of children including name, gender, age and even geographic location can be stolen.
Smart toys can become targets of hacker attacks
This is an Android-powered children's toy robot equipped with a camera and microphone, utilizing artificial intelligence to recognize and name children, automatically adjust responses based on the child's mood, and over time, the robot will get to know the child. To fully exploit the robot's features, parents need to download a control application on their mobile devices. This application allows parents to monitor their child's learning process and even make video calls with the child through the robot.
During the setup phase, parents are instructed to connect the robot to their mobile device via Wi-Fi, after which they provide the child's name and age to the device. However, Kaspersky experts discovered a worrying security issue: the Application Programming Interface (API) that requests child information lacks an authentication feature, while this is an important check to confirm who is allowed to access the user's network resources.
This poses a risk that cybercriminals can intercept and steal a wide range of data, including children's names, ages, genders, countries of residence and even IP addresses, by intercepting and analyzing their network access frequency.
This vulnerability allows an attacker to initiate a live video call with a child, completely bypassing the parental account consent. If the child accepts the call, the attacker can secretly exchange information with the child without the parent's permission. In this case, the attacker can manipulate the child, lure the child out of the house or guide the child to perform dangerous actions.
Furthermore, security issues with the app on the parent’s mobile device could allow an attacker to remotely control the robot and gain unauthorized access to the network. By using brute-force methods to recover the OTP password and the feature of unlimited failed login attempts, the attacker could remotely link the robot to his own account, thereby disabling the owner’s control of the device.
Nikolay Frolov, senior security researcher at Kaspersky ICS CERT, commented: "When buying smart toys, it is important to consider not only their entertainment and educational value, but also their safety and security features. While there is a general perception that higher prices mean better security, it is important to note that even the most expensive smart toys are not completely immune to vulnerabilities that attackers can exploit. Therefore, parents should carefully read toy reviews, always update smart devices to the latest versions and closely monitor their children's play activities."
Source link
![[Photo] Prime Minister Pham Minh Chinh chairs the first meeting of the Central Steering Committee on housing policy and real estate market](https://vphoto.vietnam.vn/thumb/1200x675/vietnam/resource/IMAGE/2025/9/22/c0f42b88c6284975b4bcfcf5b17656e7)
![[Photo] General Secretary To Lam presents the First Class Labor Medal to the Vietnam National Energy and Industry Group](https://vphoto.vietnam.vn/thumb/1200x675/vietnam/resource/IMAGE/2025/9/21/0ad2d50e1c274a55a3736500c5f262e5)
Comment (0)