LAS VEGAS – IoT devices are increasingly coming into the hands of children – from connected watches, to Amazon Echo smart speakers – but security experts worry that these are opening up children’s data to future privacy breaches.
The latest example of this fear was seen at Black Hat 2019, where serious vulnerabilities were disclosed in LeapFrog’s tablet for kids, the LeapPad Ultimate. Erez Yalon, director of security research at Checkmarx, who disclosed the flaws at Black Hat 2019 on Wednesday, said the tablet has a number of security issues opening the door to a slew of malicious activities by an adversary. Those include allowing bad actors to track the devices, send messages to children or launch man-in-the-middle attacks.
It’s only the latest children’s toy to have issues around security and privacy. After CloudPets connected teddy bears were found to have exposed 2.2 million voice recordings between parents and their children in a significant data breach, Amazon, Target and Walmart have pulled the toys from their online markets. Genesis Toys’ My Friend Cayla doll (which was banned in Germany) and Mattel’s Hello Barbie doll have also undergone major security issues.
“I think that the vendors and manufacturers need to understand that creating devices for users that are under age, it means two things,” Yalon told Threatpost. “First of all, it means that the target is more problematic. I think that the results might be more catastrophic. Also, we’re dealing here with users that are sometimes not really aware of the safety needed.”
For a full video of Threatpost’s interview with Yalon, see below.
Black Hat USA 2019 has kicked off this week in Las Vegas. For more Threatpost breaking news, stories and videos from Black Hat and DEF CON, click here.