VTech’s Security Negligence

As it turns out, when I was a little ankle-biter, I had a sort of talking toy phone.  You know, the kind a kid can pretend to make a call on, and have some garbled, digital ‘90s voice answer back.  Not that I had any idea at the time, a couple of decades ago, but that little gadget was made by a young electronic toy manufacturer named VTech.

Updates on the data breach of the Chinese company continue to flow in, since it was first reported late last week.  By all accounts, this has remained an unusually contained breach, like a control experiment.  This is primarily due to the fact that the hacker in this case, fortunately for everyone involved, does not appear to have any interest in publishing or selling the data, per his/her own words.  Actually, since breaking into VTech’s horrendously defended network, it appears the individual only contacted Motherboard with the information, saying they planned to do “nothing” with it personally.  Not-so-small-favors aside, it’s still an unsettling incident, tremendous in scale, with the hacker in question able to access the personal data of almost 5 million parents and over 200,000 of their kids.  Worse, the data was such that the data of the parents could be used by an intruder to match them to their children, which in turn would reveal their identities and addresses, which were bits of information provided in the parent accounts on VTech’s Learning Lodge online store.

But now we learn that this data was not all that VTech was storing; the anonymous hacker also revealed photos of the parents and kids and chat logs between them, via the toymaker’s Kid Connect service, was left exposed on its servers.  In total, the hacker was able to uncover tens of thousands of these pictures, about 190GB worth.  As if that wasn’t enough, several audio files of the kids’ voices were there for the taking; all of these can be traced back to specific usernames.  Truthfully, I don’t know if I’ve covered a creepier story in my time here.  At least we know in this case, the hacker agrees, telling Motherboard: ”Frankly, it makes me sick that I was able to get all this stuff…VTech should have the book thrown at them.”

Conducting his own investigation into the veracity of the initial reports of the breach, meanwhile, security expert Troy Hunt discovered some pretty damning evidence of just how negligent Vtech really was.  Aside from the obvious question of why they needed to store these sorts of items in the first place, the depth of their cryptographic negligence is impressive (in a “Wow, that giant sinkhole in the middle of the street is pretty impressive” kind of way).  Passwords on the server were basically unencrypted, and had an MD5 hash that would take no time to be cracked by an intruder.  These, along with secret questions and answers, were also available in plain text.  The communications between kids and parents were over unencrypted connections, with no SSL in sight.  Essentially, all sensitive data on VTech’s servers enjoyed what could barely be called even the minimum of protection.  Such a broad range of fundamental failures has Hunt saying there is no simple fix, and recommending that VTech take the whole thing offline until it can be properly fixed, especially as he still sees gaping holes in their system that allow every kid and parent to be matched.

All of this doesn’t even cover the fact that VTech claims they weren’t aware of the intrusion until contacted by Motherboard.  For now, though, they have temporarily suspended Learning Lodge, and have announced they are working with Hong Kong regulators on a compliance check.  Still, the apparent lack of due diligence in this case is shocking.  Imagine if the hacker had been malicious.  Fortunately, as mentioned, the individual appears just as disgusted with the finds as anyone else would be, and seemingly has no desire to expose the data.  This could have been a lot worse.  How bad it gets for VTech, however, remains to be seen.

By: Jonathan Weicher