Recently security researcher Mark Carthy was shopping for a new Hello Barbie, an internet-connected version of the doll under scrutiny for a number of security issues. He was unable to find one but noticed the LeapPad ULTRA children’s tablet from LeapFrog, particularly the bright orange sticker on the box announcing the device offered “Kid Safe WiFi.” He found the phrase dubious, writing on his blog, “Yeah right, I thought – that’s like child friendly heroin.”

LeapFrog, the maker of the children’s tablet, was recently purchased by VTech, a popular manufacturer of children’s toys which experienced a data breach late last year. Back in November 2015, almost 5 million customer records were affected by the breach of the Hong Kong-based company. Most notably, children’s names, dates of birth, and passwords were exposed in the incident. 

Carthy performed a number of tests on the LeapFrog tablet, eventually focusing on the tablet’s video streaming feature. He discovered that the tablet uses an old version of Adobe Flash to stream video content. The version that comes pre-loaded on the device is Adobe Flash 19.0.0.185. This version of Flash has a well-documented vulnerability that could allow an attacker to infiltrate a device running the program and execute malicious computer code. As Carthy points out, this highlights “a serious problem with manufacturers not enforcing compulsory updates on products (many of which will have been sitting on shelves for months).”

Carthy was only prompted to update the Adobe Flash software after connecting the kids’ tablet to his own computer, something most parents may never do. Additionally, he was able to connect to LeapFrog’s proprietary content servers through his laptop after discovering its network location. He proposes a number of worst-case scenarios, including “an international Sesame Street botnet operational within an hour.” A botnet is a group of computers which have been breached and controlled by a third party and coordinated to collectively perform the same task, such as sending out spam emails or executing a denial-of-service attack. This worst-case scenario, while possible, is highly unlikely.

He points out a more plausible and  far more disturbing worst case scenario: “any malware exploiting these vulnerabilities would be able to gain full access to the device – allowing an attacker activate the built-in microphone, monitor your child’s activity and even take pictures of them using both the front and rear facing cameras on the device.”

The LeapFrog LeapPad ULTRA tablet is marketed as “the ultimate kids’ learning tablet” for kids ages 4 to 9 years. The company claims that users, “Access only age-appropriate content, prescreened by LeapFrog with customizable parental controls.” While the problems with Adobe Flash can not be blamed on the manufacturer of this toy, it is their responsibility to ensure critical security updates are installed prior to the device’s use by children. At the very least, the manufacturer should warn customers that such updates are required, so that parents can take the necessary precautions of updating the device and ensuring the safety of their kids.