VTech: Playing Loose With Your Children’s Data
It’s been a tumultuous time for children’s electronic learning product suppliers, VTech. The Hong Kong-based company announced acquisition plans for direct-market competitor LeapFrog for $72 million, drastically expanding their market-share and positioning themselves as one of the foremost developers of and suppliers in children’s electronic learning products. Unfortunately, the week didn’t continue as planned.
VTech updated their terms and conditions following a large hack in 2015, blatantly shifting the onus of responsibility onto parents and carers without a second thought.
What have they changed? What have they secured? What should you be doing?
What Happened To VTech?
VTech were hacked last November , the attacker making off with the data from over 4 million adult accounts, and over 6 million child accounts. The hack exposed the personal data of each compromised account including names, email addresses, passwords, secret questions and answers, IP addresses, mailing addresses, and download histories. As well as this, VTech’s app store database, Learning Lodge, was also compromised.
From here, data including chat logs, personal audio files and photographs were compromised, many belonging directly to the children using the devices.
The hack was initially exposed by Lorenzo Bicchierai, writing for Vice magazine’s technology-focused Motherboard publication. After the initial article was published, Bicchierai was contacted by the individual claiming to have performed the hack, who provided sensitive photographs to the journalist for verification.
Bicchierai then invited information security specialist Troy Hunt to analyze the data provided to confirm if the leak was legitimate, rather than a hoax. On confirmation, Hunt further dissected the data and published details of the vulnerabilities affecting VTech. The vulnerabilities, as Hunt discovered, were atrocious.
Object reference flaws meant users could easily access the accounts of others by stepping through URLs, the entire host system was extremely sensitive to any form of SQL injection, and there was:
“No SSL anywhere… All communications are over unencrypted connections including when passwords, parent’s details and sensitive information about kids is transmitted.”
He also found passwords “encrypted” with a simple MD5 hash, with no salting, or even sight of an advanced hashing algorithm, meaning anyone with even slightly advanced computing skills would likely crack them in a short space of time.
Further to this, secret questions and answers were stored in plain text, with no additional security measures at all. Hunt also noted the poor quality of the security questions, such as “What is your favorite color?” or “Where were you born?” and other equally simple-to-discover information.
Once a parent has created their adult account, child accounts can be created. Each child account is directly linked to the adult account, and they can add their own avatar, date of birth, and gender.
The data is then stored in a self-referencing table using a “parent_id” to link both accounts together, like so:
Meaning that with the additional data secured in the breach, each and every child could be simply matched to their parent, disclosing their addresses along with reams of other personal information.
Change The T&C
As we are so often confronted with lengthy user agreements, privacy statements, changes to the terms and conditions of websites, games, services, and more, we’ve all become a little blasé to the language used. I can absolutely not count the amount of T&C I’ve clicked through, and wonder if at some point I signed my soul over.
You would think the standard response to a major data breach is a robust investigation into any and all security shortcomings, perhaps welcoming the work already completed by information security professionals that are attempting to safeguard sensitive data relating to children.
Not for VTech.
Instead, they updated their terms and conditions with distinctly unsavory terminology. In a section headlined Limitation of Liability, terms read:
“You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties”
I’m sorry. What? The user agrees not be angry or hold the company responsible if they get hacked again? In 2016, how any company promoting any form of networked device responsibly can shift the burden of responsibility onto their users in a scenario where they are actively seeking sensitive information is beyond me.
No way. Even before their terms and conditions-based shenanigans, the UK’s Information Commissioner’s Office was investigating the data breach , along with multiple US State jurisdictions. Similarly, in the immediate aftermath of the breach, Hong Kong Privacy Commissioner Stephen Wong confirmed his office had initiated a “compliance check” on VTech to assess if the company had adhered to basic security principles.
As I was writing this article, the UK Information Commissioners Office confirmed that the new terms and conditions would contravene current UK law, stating:
“The law is clear that it is organisations handling people’s personal data that are responsible for keeping that data secure”
What Should You Do?
Honestly, until VTech have been proven to have substantially overhauled their security operation, do not use their products, including their website.
In future, before buying any networked children’s toy, it would be prudent to run a quick “[product name/company name]+security” search, or you could try “[product name/company name]+hack/data breach.” Any of those combinations will quickly illustrate the security well-being of the product you’re about to hand to your child.
Security breaches are going to happen . We live in a massively digitized world, sharing sensitive information across a huge number of sites. However, we don’t have to throw ourselves into the firing line , and equally, we do have the right to expect a modicum of respect to the privacy of our personal data – let alone that of our children.
Affected by the VTech breach? Or can you sympathize with a toy-maker in the networking and information security world? Let us know below!
Image Credits:Hacker Man by tanberin via Shutterstock