VTech Security Debacle Reveals Kids’ Names, Birthdates, Parents, and More

The following is a reprint of an article by my daughter, Jillian Koskie. It appears on the With[in]Security blog.

Smart, Internet-connected toys have great potential — but also great risk, especially when they connect information-rich parental accounts with detailed data about children. What that risk actually means moved from theory to reality when VTech confirmed it experienced a data breach earlier this month that exposed its Learning Lodge customer database and Kid Connect servers.

Over 4.8 million parent accounts, and 6.3 million kid profiles were affected — not a huge number in the recent history of hacks. But what keeps this from being trivial has little to do with the total number. Maybe you don’t care that hackers know your kids’ names, genders, or even birthdates… but what about seeing their photos, messages, and bulletin board postings? What if the hackers also know which games they were playing? What if these same hackers can also cross-reference those details with the corresponding parent account to gain mailing addresses and passwords (including secret question and answer details)?

According to software security expert Troy Hunt, they can. At the request of Vice Media blog Motherboard, Hunt was able to verify the data breach and confirm the information gained was legitimate and readable. He also found that all the data was stored in unencrypted, usually plain-text form, with a database that was readily susceptible to SQL injection, and that VTech’s apps relied heavily on Flash and didn’t use SSL at all. In short, the VTech data was extremely vulnerable and allowed hackers to learn the names, ages, and even appearance of a parent’s children — very dangerous information in the hands of, say, a blackmailer or kidnapper. But hey, at least no credit card information was stolen.

You should assume your information has been compromised if you have ever downloaded an app, game, or ebook onto a VTech product.

Unfortunately taking away every VTech device your child owns will not protect them; the data is already out there. This is scary stuff, and it is just the beginning. Some critics are advising that you steer clear of connected toys until they become more resilient against attack.

It is likely that the U.S. Federal Trade Commission will open an investigation into whether VTech is in violation of the Children’s Online Privacy Protection Act (designed to protect the privacy of children under 13 years of age), but that can do little more than set a precedent for other manufacturers rushing Internet connected toys to market.

As a precautionary measure, VTech has temporarily suspended its Learning Lodge website and Kid Connect service (just in time for the holiday season) –though it continues to ship vulnerable tablets. That’s a steep price for VTech to pay for having what Hunt described as “genuinely alarming practices” with regards to security.