Cybersecurity researchers said they have uncovered “troubling vulnerabilities” within a widely used smart toy robot, raising serious concerns about children’s online safety. 

Kaspersky, the cybersecurity company, presented findings of the recent investigation at the Mobile World Congress (MWC) Barcelona 2024, under the theme “How Can We Empower the Vulnerable in the Digital Environment?”

This interactive toy, described as a “tablet on wheels,” boasts features like gaming, educational applications, voice assistants, and internet connectivity, all powered by the Android operating system. 

However, the flaws discovered in its system, including a built-in camera and microphone, could potentially expose children to cybercriminals who exploit these vulnerabilities to engage in clandestine video chats, researchers from the cybersecurity firm, Kaspersky, report. 

During the setup process, which involves linking the toy to a parent’s mobile device and providing basic information about the child, such as name and age, Kaspersky’s researchers identified a critical security gap: the absence of authentication enforcement in the Application’s Programming Interface (API). 

This oversight, according to the findings, enables hackers to intercept sensitive data, including the child’s personal details such as the name, age, gender and even the IP address, via intercepting and analysing the network traffic address.

Furthermore, these vulnerabilities could allow cybercriminals to remotely access the toy’s camera and microphone, initiating video calls to the child without consent from the guardian or parent. Such unauthorised access poses serious risks, potentially exposing children to manipulation or influencing them to engage in risky behaviours.

Compounding the issue, flaws in the parent’s mobile application could permit remote attackers to hijack the toy by bypassing security measures using brute-force methods to recover the six-digit one time-password (OTP), and gaining unauthorised access to the network. With no limits on failed attempts using the OTP, hackers could seize control of the device by linking the robot to his own account thus effectively taking the device out of its owner’s control.

Commenting on the development, Nikolay Frolov, a senior security researcher at Kaspersky’s ICS CERT, said that, “when purchasing smart toys, it becomes imperative to prioritise not only their entertainment and educational value but also their safety and security features. Despite the common belief that a higher price tag implies enhanced security, it is essential to understand that even the most expensive smart toys may not be immune to vulnerabilities that attackers can exploit. Hence, parents must carefully examine toy reviews, remain vigilant about updating smart device software, and closely supervise their child’s activities during playtime.”

Subsequently, the vulnerabilities were reported by the researchers, to the vendor, who promptly implemented patches to mitigate the risks, according to Kaspersky.