Naked Security Naked Security

Kids’ VTech tablets vulnerable to eavesdropping hackers

Attackers can boobytrap what should be access to only parent-vetted sites and can take over the webcam, speakers and microphone.

VTech, the Hong-Kong-based smart-toy maker has hit another bump in the road.
This time around, it’s a serious security flaw in the software of VTech’s flagship tablet, the Storio Max, which is called the InnoTab Max in the UK. The flaw could allow hackers to remotely take control of the device and spy on the 3- to 11-year-old children for whom it’s marketed.
The vulnerability was discovered earlier this year by Elliott Thompson, a security consultant with the London penetration-testing firm SureCloud. On Wednesday, SureCloud said in a post that Thompson had found a vulnerable service enabled on the tablet that could be exploited by a script placed on a website, where a child could visit it, trigger the flaw and be none the wiser.
An attacker would then gain full root control over the device, including access to its webcam, speakers and microphone. In other words, an attacker could eavesdrop on a child using the tablet or talk to them.
The Max tablets are designed to enable parents to restrict their kids’ access to websites that they’ve personally vetted. The flaw pops a hole in that bubble of trust, given that an attacker could exploit the vulnerability to boobytrap that collection of supposedly “safe” sites.
Luke Potter, cyber-security practice director at SureCloud, told BBC News that it’s easy to exploit once you know where to look:

To find the vulnerability in the first place wasn’t easy. But to actually exploit it once you know it’s there is reasonably simple.

An attack can be accomplished remotely via off-the-shelf malware that can be picked up from criminal marketplaces, he said, and it would be invisible:

Remote access can be gained without the child even knowing. So effectively being able to monitor the child, listen to them, talk to them, have full access and control of the device. For example, we demonstrated viewing things through the webcam.

No attacks… yet

VTech said in a statement that it hasn’t heard of any actual attempt to exploit the vulnerability:

This was a controlled and targeted ‘ethical hack’ by… a sophisticated cyber-firm that was in possession of a detailed knowledge of hacking techniques and InnoTab/Storio Max’s firmware.
We are not aware of any actual attempt to exploit the vulnerability and we consider the prospects of this happening to be remote.
However, the safety of children is our top priority and we are constantly looking to improve the security of our devices.

In May, within 30 days of SureCloud having disclosed the vulnerability, VTech issued a patch.
That doesn’t mean that all the parents of all the tablet-using kids installed the firmware upgrade, though. VTech put a firmware upgrade reminder at the top of its homepage after BBC Watchdog Live flagged the tablet flaw and broadcast news about the issue, the BBC said on Wednesday.


Before that, VTech was just relying on popups that appeared on the devices themselves to get the word out, without explicitly warning customers about the security vulnerability or the risks it posed. After the BBC contacted the company, VTech made the upgrade reminder on its site more explicit and provided an illustrated, step-by-step guide to applying the fix.
According to the BBC, VTech is also contacting retailers that are selling affected units. The company says it’s also emailed European owners who haven’t yet performed the upgrade.

Earlier problems

An intruder claimed to have broken into VTech servers and ripped off data so sensitive that it made them queasy.
With good reason: the intruder claimed to have accessed photos of kids and parents, chat logs and audio files.
The FTC said at the time that the attacker got first names, genders and birthdays of about 638,000 children. The intruder said they got email addresses, encrypted passwords, secret questions and answers for password retrieval, IP addresses, mailing addresses, and download histories. The personal data pertained to 4,833,678 parents, the intruder said.
A then-21-year-old UK man was arrested in connection with the intrusion soon after. Fast forward to January 2018, when VTech settled Federal Trade Commission (FTC) charges that the company violated the Children’s Online Privacy Protection Act (COPPA) and the FTC Act.
VTech settled with the FTC for a civil fine of $650,000.
VTech was criticized for its response in the 2015 breach. The toymaker not only (allegedly) lost the data: it also dinged customer confidence by slipping in a tweaked terms and conditions policy that passed the buck for any future breach to its customers, like so:

You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties.

At least this time around, VTech shipped an upgrade promptly. It remains to be seen if its response to the tablet vulnerability will keep the FTC happy, though.