In the modern world, we are surrounded by a multitude of smart devices that simplify our daily lives: smart speakers, robotic vacuum cleaners, automatic pet feeders and even entire smart homes. Toy manufacturers are striving to keep up with these trends, releasing more and more models that can also be called “smart.” For instance, educational robots that connect to the internet and support video calls. Our colleagues kindly provided us with a robot like that for research purposes, as they wanted to ensure that the toy their children played with was sufficiently protected against cyberthreats. During our analysis, we discovered several vulnerabilities that allow malicious actors to gain access to confidential data and communicate with children without their parents’ knowledge.
Subject of the study: educational robot
The toy is designed to educate and entertain children; it is an interactive device running the Android operating system. It can move and has a big color screen, a microphone, a video camera and other features. In other words, this is a “tablet on wheels.” Interactive features include gaming and educational applications for children, a voice assistant, internet access and connection to the parent app for smartphones.
Possible attack vectors
Parents app
The robot needs to be linked to a parent’s account before it can be used. The parent application must be installed on the parent’s mobile device in order to accomplish this. From a security researcher’s perspective, this application is particularly interesting because it allows calling to the robot, and monitoring the child’s activities and learning progress.
Toy
The robot connects to a home Wi-Fi network and interacts with the application through the internet. Upon initial setup and internet connection, the robot prompts for a soft ..
Support the originator by clicking the read the rest link below.
