Kaspersky has discovered security vulnerabilities in an Android smart toy robot that could let cybercriminals make video calls to children and harvest sensitive data about them, including their names, genders, ages, and locations.
Nikolay Frolov, a senior security researcher at Kaspersky’s ICS CERT, shared the company’s findings at the Mobile World Congress 2024 on Tuesday.
While Kaspersky has refrained from naming the toy for security reasons, photos and screenshots in its blog post show the toy was designed in India and manufactured in China. The images hinted at the name “Superbot.”
“Despite the common belief that a higher price tag implies enhanced security, it is essential to understand that even the most expensive smart toys may not be immune to vulnerabilities that attackers can exploit,” Frolov said in a press release shared with VPNOverview.
“Hence, parents must carefully examine toy reviews, remain vigilant about updating smart device software, and closely supervise their child’s activities during playtime,” he added.
Kaspersky reported the vulnerabilities to the vendor, and they have been addressed.
Vulnerabilities in the Smart Toy
At the heart of Kaspersky’s research is an educational robot — a “tablet on wheels” — equipped with a colorful screen, camera, microphone, and internet access. This device is designed for educational engagement, offering games, educational apps, and a voice assistant.
“During initial setup, parents are instructed to connect the toy to a Wi-Fi network, link it to their mobile device, then provide the child’s name and age,” Kaspersky said in its press release.
“During this phase, Kaspersky experts have uncovered a concerning security issue: the responsible API (Application Programming Interface) for requesting this information lacks authentication enforcement, a step that confirms who can access your network resources,” the company explained.
As a result, threat actors can intercept and analyze the device’s network traffic. This could allow cybercriminals to uncover sensitive information about the child using the toy.
“What’s more, the flaw enables cybercriminals to exploit the robot’s camera and microphone, initiating direct calls to users, bypassing the required authorization from the guardian’s account,” Kaspersky said.
Also, an analysis of the robot’s firmware and file system, conducted with the manufacturer’s cooperation, showed other security lapses like debug modes left active on production servers and lack of digital signatures for software updates.
This is not the first report highlighting privacy and security risks with smart toys. In November 2023, a report by the U.S. Public Interest Research Group showed that smart toys pose serious privacy and safety threats by failing to store children’s data properly. The report also warned that predators can exploit the features of smart toys to target children.
How to Use Smart Toys Safely
While only 1 in 5 Americans feel vulnerable to cyberattacks at home, the reality is that smart devices in the average home, including routers and smart toys, are increasingly targeted by cybercriminals. To help address this, The White House has announced a “Cyber Trust” label to indicate which smart home devices meet basic cybersecurity standards.
To protect yourself from these threats, Kaspersky recommends regularly updating the firmware of connected devices to benefit from the latest security patches.
It’s also important to read about the security and data collection practices of manufacturers before purchasing smart devices, opting for those with solid reputations and a commitment to regular updates.
Additionally, manage app permissions carefully, granting what’s necessary and avoiding excessive access, Kaspersky said. For added security, smart toys should be powered off when not in use, with their microphones stored away and cameras covered or redirected.
Read our guide to internet safety for kids for more useful tips.
For more news, follow us on X (Twitter), Threads, and Mastodon!
