On the 14 November 2015, toy manufacturer VTech had its Learning Lodge and Kid Connect applications hacked in a cyber attack. VTech’s Learning Lodge is an app that allows parents to download e-books, learning games, and a range of other apps to VTech’s range of connected toys. Kid Connect is a messenger for kids that allows parents to communicate with their children with voice and text messages, photos, drawings, and emojis – all communicated from a VTech tablet or DigiGo to the guardians smartphone.
During the penetration of its servers, the hacker made off with the names, home addresses, emails and passwords of more than four million parents and six million children. As if that wasn’t bad enough, also amongst the contents of the stolen data were tens of thousands of photos of children and chat conversations between the young people and their parents. Epic fail.
When VTech went into the business of manufacturing digital toys, they also unwittingly agreed to be the custodians of some of the most sensitive data on the planet. As such, VTech should have had security at the forefront of its design specifications. That is why VTech’s failure to protect 190GB of its subscribers’ photos has left a lot of people with a rather bitter feeling towards the company.
A specifically troubling part of the story is VTechs admission (on its FAQ) that it first heard about the hack from a journalist. Only then did VTech conduct an internal investigation. Cause for concern, not only because the data was easily stolen, but because the company was utterly clueless about the fact that it had let so many parents down. From the FAQ:
‘3. When did you find out about the breach?
We received an email from a journalist asking about the incident on November 23 EST. After receiving the email, we carried out an internal investigation and on November 24 detected that some irregular activity took place on our Learning Lodge website on November 14 HKT. Our investigation confirmed on November 26 HKT that a breach had occurred. We immediately began a comprehensive check of the affected sites and are taking thorough actions against future attacks.’
Remember that while we do know about this particular hack, the ease with which it was carried out makes it entirely feasible that other hackers could at some time have been in VTech’s server, unnoticed. That is the truly saddening part. Yes, VTech got hacked on November 14, but what is much worse is that it had an open door to anyone that wanted to hack them up until that date.
Thankfully, the November cyber attack was carried out by a white hat hacker who approached Motherboard with stolen data in a bid to raise awareness about VTech’s bad security. It seems telling, somehow, that despite carrying out the cyberattack to expose the companies weakness, in December a 21-year-old male was arrested by British police as part of an ongoing investigation. Being helpful doesn’t excuse you from being investigated, especially when it comes to children’s data, and quite rightly so.
Commenting on VTech’s failure, security analyst Troy Hunt said,
‘Once the passwords hit the database … they’re protected with nothing more than a straight MD5 hash, which is so close to useless for anything but very strong passwords (which people rarely create), they may as well have not even bothered. The kids’ passwords are just plain text.
The vast majority of these passwords would be cracked in next to no time; it’s about the next worst thing you do next to no cryptographic protection at all.’
Hunt’s words hit home. In its FAQ, VTech says it is ‘taking thorough actions against future attacks’, but in retrospect, that doesn’t seem good enough. Thorough measures should have been taken from the start, after all, the company knew full well that it was selling toys to children that send messages and photos. Designing a product that communicates private family data using company servers, and not considering security carefully, seems negligent. If I could somehow revoke their toymaking license – I certainly would.
Now, preposterously, the mediocre toy company has decided to branch out into home monitoring devices that it thinks can keep you more secure. ‘Know what your family’s up to and make sure your home’s secure at all hours. View and record high-definition video directly through an app on your smartphone or tablet,’ it boasts in the sales pitch.
VTech says that there is no need to worry because this time it has employed a third party to perform penetration testing, and all will be well. Arguably, however, the negligence that the Hong Kong-based company has already demonstrated – born out of a total mismanagement of security – would seem to make purchasing from VTech’s new range of security products a reliable sign of madness.
Alas, it is also worth knowing that when rapid7 tested nine baby monitors made by eight different companies, every single one had severe security issues. Philips’ In Sight B120 baby monitor, for example, was found to have an unencrypted connection to the Internet that could allow a hacker to quickly access the online video stream. Thankfully, Philips has pulled that product from the shelves and is now working closely with Gibson Innovations to produce a more security conscious product in the future.
For now, the best advice for anyone that is interested in purchasing connected devices is to only buy those that are absolutely necessary. Make yourself aware of your options, by doing some research. Select manufacturers that have a reputation for wanting to make safe products, and lastly, if you do decide to buy something remember to use strong passwords and to keep up-to-date with security updates.