In May of this year, Alexis Hancock’s daughter received a children’s tablet for her birthday. As a security researcher, Hancock immediately expressed concern.
“I looked at it kind of sideways because I’ve never heard of Dragon Touch,” Hancock told TechCrunch, referring to the tablet’s maker.
Upon investigation, Hancock, working at the Electronic Frontier Foundation, found numerous security and privacy issues with the tablet that could potentially put children’s data at risk, including her own daughter’s.
The Dragon Touch KidzPad Y88X was found to contain traces of well-known malware and runs an outdated version of Android, pre-loaded with other software considered as malware and “potentially unwanted programs.” Furthermore, the tablet included an outdated version of a kids’ app store, according to Hancock’s report.
Despite reaching out to Dragon Touch regarding these issues, Hancock received no response, and the company also did not respond to inquiries from TechCrunch.
The concerning findings included traces of Corejava, a malware previously analyzed by cybersecurity firm Malwarebytes. Additionally, the tablet came pre-loaded with Adups, a software classified as malware due to its ability to download and install new malware from the internet, as well as an outdated version of the KIDOZ app, which collects and sends device usage and physical attributes to ‘kidoz.net,’ as per Hancock’s report.
KIDOZ founder Eldad Ben Tora defended the app’s compliance with COPPA, a U.S. federal law for children’s online privacy protections.
Following the release of Hancock’s report, the Dragon Touch tablet’s listing was replaced on Amazon, and Walmart removed it from their website after being approached by TechCrunch.
Google spokesperson Ed Fernandez confirmed that they were evaluating the claims to determine the manufacturer’s device’s compliance with security standards required for Play Protect certification.
Children’s internet-connected products have historically been targeted by hackers, exemplified by the 2015 breach of VTech’s servers which resulted in the theft of personal information of millions of parents and their children.
Despite her findings, Hancock had to keep her daughter’s tablet and took measures to protect her daughter’s privacy by implementing various security tactics. However, she stressed that parents shouldn’t have to resort to such measures to ensure their children’s privacy and safety online.