Security vulnerabilities discovered in children's smart toys

This vulnerability allows hackers to control the robot system to video chat with children without parental consent. Not only that, the risks associated with the application of this robot system also open up other dangers, such as the child's personal information including name, gender, age and even geographic location can be stolen.

This is an Android-powered children's toy robot equipped with a camera and microphone, utilizing artificial intelligence to recognize and name children, automatically adjust responses based on the child's mood, and after a while, the robot will get to know the child. To fully exploit the robot's features, parents need to download the control application on their mobile devices. This application allows parents to monitor the child's learning process and even make video calls with the child through the robot.

During the setup phase, parents are instructed to connect the robot to their mobile device via Wi-Fi, after which they provide the child’s name and age to the device. However, Kaspersky experts discovered a worrying security issue: the Application Programming Interface that requests child information lacks an authentication feature, while this is an important check to confirm who is allowed to access the user’s network resources.

This poses a risk that cybercriminals can intercept and steal a wide range of data, including a child's name, age, gender, country of residence and even IP address, by intercepting and analyzing the frequency of network access.

This vulnerability allows an attacker to initiate a live video call with a child, completely bypassing the parental account consent. If the child accepts the call, the attacker can secretly communicate with the child without the parent's permission. In this case, the attacker can manipulate the child, lure the child out of the house or instruct the child to perform dangerous actions.

Furthermore, security issues with the app on a parent’s mobile device could allow an attacker to remotely control the robot and gain unauthorized access to the network. By using brute-force methods to recover OTP passwords and the feature of unlimited failed login attempts, an attacker could remotely link the robot to his own account, thereby disabling the owner’s control of the device.

“When buying smart toys, it is important to consider not only their entertainment and educational value, but also their safety and security features,” said Nikolay Frolov, senior security researcher at Kaspersky ICS CERT. “While there is a general perception that higher prices mean better security, it is important to note that even the most expensive smart toys are not completely immune to vulnerabilities that attackers can exploit. Therefore, parents should carefully read toy reviews, keep smart devices updated with the latest versions, and closely monitor their children’s play activities.”