Cybersecurity Experts Urge Parents to Boycott VTech Toys After Hack

VTech is a company which specializes in electronics devices, baby monitors, toys and other equipment aimed at children. During my youth, I remember VTech being the main source of educational laptops for children in the Argos catalogue. Since then, technology has progressed at a rapid pace, and VTech now produces a huge range of smart devices including tablets. Back in late November, the company’s Learning Lodge gateway was compromised due to poor security and almost 6.4 million children’s details were exposed by a hacker. This is a shocking revelation and exemplifies the importance of being incredibly careful with your personal information. Recently, a VTech spokeswoman made some very worrying comments which suggest the company has a fairly incompetent attitude towards user data:

“Since learning about the hack of its databases, VTech has worked hard to enhance the security of its websites and services and to safeguard customer information,”

“But no company that operates online can provide a 100% guarantee that it won’t be hacked.”

“The Learning Lodge terms and conditions, like the T&Cs for many online sites and services, simply recognise that fact by limiting the company’s liability for the acts of third parties such as hackers.”

“Such limitations are commonplace on the web.”

As you might expect, this has been heavily criticized by industry experts, and consumers requiring peace-of-mind about their personal information. The latest terms were flagged by a  blog by the Australian security specialist Troy Hunt. He lambasted the company and said:

“You acknowledge and agree that you assume full responsibility for your use of the site and any software or firmware downloaded.”

“You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorised parties.”

“You acknowledge and agree that your use of the site and any software or firmware downloaded there from is at your own risk.”

“If [VTech] honestly feel they’re not up to the task of protecting personal information, then perhaps put that on the box and allow consumers to consciously take their chances rather than implicitly opting into the ‘zero accountability’ clause.”

I have to echo the thoughts of Troy Hunt, and cannot believe VTech isn’t updating their security infrastructure after such a massive attack. If you value your children’s data, then it’s probably the most sensible idea to avoid using VTech’s online services.

Image courtesy of Threatpost.com

VTech Leak Contained Headshots of Kids and Chat Logs

Recently it came to light that VTech had been hacked, potentially revealing thousands of emails and usernames. The hacker has revealed more information though on what was contained and revealed within the hack, the information which was revealed yesterday.

The data that was obtained from the hack contained around 4.8 million users details, but the scope of the information is nothing compared to what the hacker was able to obtain. 200GB’s of images were downloaded from the server containing images of both the parents and child of the registered accounts, coupled with the chat logs between parents and children (some of which are recording of conversations).

VTech suggests using the image so that it’s easier for parents and children to talk and interact through their services. The hacker provided Motherboard with 3,832 image files and at least one audio recording to prove that the information they obtained was legitimate and the scope of the risk from such an amount of data.

If that wasn’t bad enough, the photos, chats and recordings were often linked to usernames, something that normally wouldn’t be a problem but with usernames, address and emails being revealed and even their security questions and answers (meaning that resetting your password would have been an easy task).

While the service has been stopped by VTech while they investigate. The hacker stated, “it makes me sick that I was able to get all this stuff” and I think it’s fair to say that no matter what they do VTech has a lot to answer for.

Data on Thousands of Children Exposed in VTech Hack

It has come to light that earlier this month, popular children’s computer company VTech were the victims of an attack by an unnamed hacker. The hacker was able to gain access to around 5 million user’s credentials, including the 200,000 children whose data was stored by VTech’s Learning Lodge online service.

The data was leaked as parts of the credentials may include details such as their names, email addresses and home addresses. Additionally included in the leak were the security questions and answers of the users, meaning cracking of the users passwords would not be necessary to compromise accounts and if the same password reset information was used on another site, those accounts would also be vulnerable. The scariest part is that the details of the children recorded by VTech included their names, birth dates and genders and could be used to link them to their parent’s accounts, providing those with sinister motives access to the locations of countless children. According to the site Have I Been Pwned, a reputable repository of data breaches, this breach is the fourth largest leak of consumer data to date.

Thankfully, in an interview with Motherboard, the hacker, when asked what he intended to do with the data replied with “nothing”. And while he intends to do nothing with it, warned that others may have extracted data from the site before him, due to the ease of attack. The technique used to break into the site was an SQL injection, an old and simple way of attacking vulnerable websites, typically executed by inputting malicious code into the forms on a website, to manipulate it into performing an attackers desired operations. After using this to gain full access to the systems and databases, the attacker had free access to all of the data within.

And while VTech has responded to the breach by promising to “look at additional ways to strengthen our Learning Lodge database security.” However, this may not be enough. Following the attack, security expert Troy Hunt, as well as examining the data to assess the extent of the leak, went on to do a cursory security review of Vtech’s Learning Lodge site. He warned that the lack of encryption anywhere on the site as well as the site’s databases and APIs had the tendency to leak data mean that there didn’t even need to be a data breach for user information to be at risk.

If you are a user of the Learning Lodge site and wish to enquire further with VTech, they have set up a series of email accounts to handle them, which can be found here.

It should be considered fortunate that the perpetrator of this attack was willing to bring the breach to light and has no ill intentions for the data acquired, however, it is still unacceptable for a company that handles data, especially on vulnerable parties such as children, to engage in such poor security practice.