14 DAY TRIAL // LeapPad ULTRA tablets from LeapFrog are using outdated Flash versions and insecure technology for delivering content to their users, which expose kids who use them to hacking, security researcher Mike Carthy has found.
Mr. Carty had discovered that, compared to other products, these tablets were quite secure to handle, but not perfect. The first flaw he came across was when he was investigating the tablet's software.
The tablet, being only destined for kids, had limited functionality. When starting up, it would load a browser with no UI that accessed only one URL, hard-coded inside the browser itself.
The researcher snooped on the network traffic to discover this URL, and when he accessed it inside his own laptop's browser, he found it was using insecure technology to deliver content to the tablet. Instead of deploying the more modern and secure HTML5, LeapFrog opted for a Flash-based delivery system.
Flash, Flash, everywhere you look it's Flash!
When Mr. Charty connected the tablet to his PC, he discovered the second problem, as the tablet immediately asked him to update the Flash version (installed on the tablet).
Apparently, LeapFrog wasn't using an auto-update mechanism and was relying on users to update the software. Taking into account that this prompt only came on when connecting the tablet to a PC, and nowhere in the tablet's settings was this information available, this means that many kids around the world are currently using devices with an outdated Flash Player.
The researcher's tablet was running Adobe Flash Player 19.0.0.185, which was released at the end of September 2015. In subsequent versions, security researchers discovered a dangerous and easy-to-exploit Flash vulnerability that allowed attackers to execute code on affected devices.
"Can you imagine [if] I’d searched for a persistent XSS vulnerability on that site? I’d be able to inject malicious code into the pages and exploit Adobe Flash, deliver a reverse connection back to my machine and have an international Sesame Street botnet operational within an hour," Mr. Charty speculated on his blog about ways to exploit his findings.
By chaining the two vulnerabilities together, he could exploit the main LeapFrog website from where content is loaded to all tablets, deliver an exploit package to devices, which leveraged older, insecure Flash versions, and infected the devices with any type of malware wanted.
LeapFrog is owned by VTech. Yes, that VTech!
The usage of so much Flash-based technology inside this product might be explained by the fact that LeapFrog, the parent company, was acquired by VTech.
At the end of November 2015, VTech suffered a major data breach because of an SQL injection flaw, which exposed details for 4.8 million parents and over 200,000 children.
The security researcher who investigated that incident said that VTech's endemic use of Flash technology all over its products left the company vulnerable and exposed to more types of attacks, and may have unveiled the presence of the SQL flaw leveraged in the attacks.