Tablet for kids had flaws that exposed info, location

Toy maker LeapFrog says it's now secured the devices.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce | Amazon | Earned wage access | Online marketplaces | Direct to consumer | Unions | Labor and employment | Supply chain | Cybersecurity | Privacy | Stalkerware | Hacking Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
2 min read

Hackers could've remotely located LeapPad Ultimate tablets using vulnerabilities identified by researchers. The flaws have now been fixed.

James Martin/CNET

A tablet made for children between the ages of 3 and 6 had flaws that could've let attackers intercept information from the devices, locate them and send messages to young users. The vulnerable tablet was the LeapPad Ultimate, and it joins a large group of internet-connected toys that've raised concerns about security. The device has now been secured, according to manufacturer LeapFrog.

Researchers from cybersecurity company Checkmarx said in a report Wednesday that the LeapPad Ultimate tablet was sending information over an insecure internet connection, which could've revealed children's names, genders and approximate ages. A LeapPad Ultimate application called Pet Chat also made it possible to find a tablet's location and other device information.

What's more, someone nearby could've sent children messages through Pet Chat, though they would've had to choose from preset greetings and graphics. Among the possible messages: "Let's go! Play outside together."

LeapFrog said it worked with the Checkmarx researchers to verify the problems and fix them. The device has child-friendly apps and doesn't let children have broader access to the internet.

"We thank Checkmarx for bringing these security vulnerabilities to our attention, as the safety of the children who use our products is our top priority," the company said in a statement. "Owners of LeapFrog tablets can be assured that no action is required, and we would always recommend parents to monitor who their children play with in the cyberworld."

The LeapFrog vulnerability is the latest example of a troubled feature in a children's product. Facebook said in July that flaws in its Messenger Kids program had let children join chat groups that weren't approved by their parents. On Tuesday, two Democratic lawmakers sent Facebook a letter with questions about the safety of the chat service, which is designed for kids aged 6 to 12. In the past few years, other internet devices for kids have come under scrutiny for having vulnerabilities, including Mattel's talking Hello Barbie doll and internet-connected stuffed animals called Cloud Pets.

Toys are just part of a larger problem when it comes to smart devices, security researchers say. They say it's too hard for consumers to safely use the internet-connected tech that's supposed to make our lives more convenient and fun, whether it's a smart TV or a toy. And that's at a time when buying household items with no internet connection is becoming harder.

Checkmarx said LeapFrog quickly fixed the problems it found. That included removing the Pet Chat application from its store. Older versions of the tablet might still have Pet Chat installed, Checkmarx said in its report, and the researchers recommended removing or avoiding the application.