Cybersecurity experts from Kaspersky are warning parents of a hybrid "table on wheels" toy robot that its study found to be significantly vulnerable against threat actors.
The unnamed toy "educational robot" is reportedly a hybrid robot for kids that combines a smartphone/tablet with a smart speaker mounted on its wheels. The study found that there are a variety of vulnerabilities in the toy's software interface that hostile actors might use to obtain private data, such as the child's information, the parent's email address, country, and city of residence.
(Photo: Leon Neal/Getty Images) LONDON, ENGLAND - AUGUST 09: In this photo illustration, A woman is silhouetted against a projection of a password log-in dialog box on August 09, 2017, in London, England. With so many areas of modern life requiring identity verification, online security remains a constant concern, especially following the recent spate of global hacks.
On a good note, the seller of the robot under the study assumed liability for any security flaws that the study had discovered. According to reports, the manufacturer supplied the necessary guidelines and updates to guarantee strong data security and stop any toy misuse.
Reportedly described as a limbless toy robot, the interactive Android-powered gadget is made with kids' education and entertainment in mind. It has a large color screen, a microphone, and a video camera with interactive features.
This includes voice control assistance, internet access, kid-friendly games and educational apps, and a link to a parent-dedicated application for smartphones.
Read Also: AI ChatGPT-Powered Smart Toys: Here's What Parents Need To Know
Toy Robot Security Vulnerabilities
During its investigation, Kaspersky discovered that any robot of this type might receive video calls from malevolent actors. The vendor's server distributed video session tokens to anyone who possessed both the parent ID and the robot ID.
According to reports, it was not difficult to brute-force the robot's ID. Each toy had a nine-character ID, the first two of which were the same for all units, resembling the serial number. Without requiring any authentication, the parent's ID might be acquired by submitting a request to the manufacturer's server along with the robot ID.
Therefore, a malevolent actor wishing to call a random youngster may either call random IDs or attempt to guess the ID of a particular robot. Its initial setup is also one of the reasons the robot turned out to be susceptible to hackers.
The robot asks the user to choose a Wi-Fi network, link it to the parent's smartphone, and provide some basic details about the child who will be playing with it, like their name and age. Since this data is transmitted over the HTTP protocol in plaintext, network traffic analysis software can intercept it.
Parents' Data at Risk
The toy's vulnerability also allowed anyone with a robot ID to access a wealth of personal data from the server, including the IP address, country of residence, child's name, gender, and age. This revealed information about the parental account, including the phone number, email address, and code that connected the parental app to the robot.
If the attack had been successful, the parents would have lost all access to the robot and would have needed to get in touch with tech support to get it back.
Finally, as Kaspersky examined the operation of the robot's numerous systems, the professionals found vulnerabilities in the software update procedure. The update packages were not digitally signed, and the robot installed an update archive that was specially formatted and downloaded straight from the vendor's server without performing any preliminary verifications.
The study went on to warn parents to minimize these dangers by carefully selecting smart toys and keeping their software updated. The makers of these toys were then advised to properly alert consumers about possible risks and conduct extensive testing of the security of their infrastructure and goods.
Related Article: LEAKED: Lego Polaroid Camera Set Unveils Unique Memory Transformation
(Photo: Tech Times)