When children are breached—inside the massive VTech hack

4.8 million records from a Hong Kong toy company were compromised.

Read the whole story

 

[Deleted member 192806]

When children are breached—inside the massive VTech hack

Wrong in so many ways.

 

[Z1ggy]

out of ALL the data breaches so far, this one is the one that put my wifes email address in the DB. and none of mine.

seriously?

 

[rabish12]

ryaninlondon[/url]":1xz8jedl]Looks like the kid in the photo may be a vTech coder!

However, in all seriousness, this article doesn't suggest any really sensitive information about the children has been leaked. The fact we can link parents to children isn't exactly scary stuff, nor is the fact the child at once point use vTech connect. The headline made me think hackers infiltrated the children's devices, communicated with them or monetized them in some way, or stole sensitive information from the kids (maybe something scores on a "brain game" or something).

Beyond the sensational headline, the article still raises an important concern for parents. You might want to be careful what kind of information you release about them to the internet, even when you think it's protected.

I'm pretty sure that a child's age, name, gender, and address combined are about the most sensitive data you could leak on a child, and all of those are available in this leak for at least several hundred thousand of them.

 

[grommit!]

I'm astounded at the sheer ineptitude of the developers involved. No SSL? Laughable "encryption" of sensitive data? Returning SQL in error messages? :facepalm:

I guess the use of flash as their primary UI in 2015 says it all.

Ostracus[/url]":2usnaz9a]

When children are breached—inside the massive VTech hack

Wrong in so many ways.

Yeah, that title seems a little inappropriate.

 

[The questioner]

Security is extremely important, but I think there is subtle lesson to be learned. This is a prime example of a company requiring personal information that falls outside the scope of providing a service for a product.

 

[rabish12]

The questioner[/url]":6lfhoio3]Security is extremely important, but I think there is subtle lesson to be learned. This is a prime example of a company requiring personal information that falls outside the scope of providing a service for a product.

I don't even think that's all that subtle. Companies tie physical products to services SPECIFICALLY because it provides them with an excuse to gather this kind of data, and it's been a pretty serious problem for some time now. Unfortunately, as is the case with most anything security-related, the potential security concerns just don't outstrip the profits they make and legislators aren't nearly familiar enough with the field to pass anything meaningful against it.

 

[Pit Spawn]

So HIBP is a good legit site then? I have thought a tool like this would be useful, but I have also thought that it would be a good way to get people to give your data as well...

 

[MEhle]

Come on Ars, common internet decency dictates that a story like this needs to be followed up with a minimum of two cat pictures. It's just too depressing otherwise.

In all seriousness, thanks for posting this. My kids are just getting to the age where these "internet enhanced" toys are becoming appealing. This is a good reminder that it's about time to set some family policies around that.

 

[ExPatCA]

ryaninlondon[/url]":2hu3dnc1]Looks like the kid in the photo may be a vTech coder!

However, in all seriousness, this article doesn't suggest any really sensitive information about the children has been leaked. The fact we can link parents to children isn't exactly scary stuff, nor is the fact the child at once point use vTech connect. The headline made me think hackers infiltrated the children's devices, communicated with them or monetized them in some way, or stole sensitive information from the kids (maybe something scores on a "brain game" or something).

Beyond the sensational headline, the article still raises an important concern for parents. You might want to be careful what kind of information you release about them to the internet, even when you think it's protected.

I think you should probably have used the /s tag as there is no tucking way you could be serious. The PII on the kids, just think about it for a moment. Imagine this in the hands of a pedophile.

VTech you should ashamed of yourselves.

When does shit like this become a crime and people go to jail?

 

[rabish12]

piratebay329[/url]":3hnk3wu3]

thegrommit[/url]":3hnk3wu3]I'm astounded at the sheer ineptitude of the developers involved. No SSL? Laughable "encryption" of sensitive data? Returning SQL in error messages? :facepalm:

I guess the use of flash as their primary UI in 2015 says it all.

Ostracus[/url]":3hnk3wu3]

When children are breached—inside the massive VTech hack

Wrong in so many ways.

Yeah, that title seems a little inappropriate.

SSL and encryption are meaningless. anything can be hacked, not matter how many times you see someone says "end to end to end to end encryption"

Anything can be hacked in principle. There's still a huge difference between "will be breached in under a second using a technique that should have stopped being possible over a decade ago" and "may be breached sometime in the next million years if you use the NSA's full server farm capacity to do it".

 

[grommit!]

Pit Spawn[/url]":225roh9h]So HIBP is a good legit site then? I have thought a tool like this would be useful, but I have also thought that it would be a good way to get people to give your data as well...

Yes, Troy has been doing this for awhile, and unlike similar sites, took a more thoughtful approach to the Ashley Madison breach:

http://www.troyhunt.com/2015/07/heres-h ... shley.html

 

[MEhle]

piratebay329[/url]":3so13dpa]

thegrommit[/url]":3so13dpa]I'm astounded at the sheer ineptitude of the developers involved. No SSL? Laughable "encryption" of sensitive data? Returning SQL in error messages? :facepalm:

I guess the use of flash as their primary UI in 2015 says it all.

Ostracus[/url]":3so13dpa]

When children are breached—inside the massive VTech hack

Wrong in so many ways.

Yeah, that title seems a little inappropriate.

SSL and encryption are meaningless. anything can be hacked, not matter how many times you see someone says "end to end to end to end encryption"

The fact that anything can be hacked is one of the strongest arguments FOR encryption. Proper encryption is an important component of "defense in depth".

In this case, if the passwords had been properly hashed and the other PII encrypted, a SQL injection hack would have been far less damaging.

 

[rabish12]

BaritoneGuy[/url]":hxvdico4]

ryaninlondon[/url]":hxvdico4]Looks like the kid in the photo may be a vTech coder!

However, in all seriousness, this article doesn't suggest any really sensitive information about the children has been leaked. The fact we can link parents to children isn't exactly scary stuff, nor is the fact the child at once point use vTech connect. The headline made me think hackers infiltrated the children's devices, communicated with them or monetized them in some way, or stole sensitive information from the kids (maybe something scores on a "brain game" or something).

Beyond the sensational headline, the article still raises an important concern for parents. You might want to be careful what kind of information you release about them to the internet, even when you think it's protected.

I think you should probably have used the /s tag as there is no tucking way you could be serious. The PII on the kids, just think about it for a moment. Imagine this in the hands of a pedophile.

VTech you should ashamed of yourselves.

When does shit like this become a crime and people go to jail?

Like I mentioned, it's a hard problem when most legislators don't know anything about the field, let alone care. Even if they weren't, any working legislation would have to mandate external security audits for large organizations collecting sensitive enough information, and the lobbying push against that would almost certainly kill it in the USA.

 

[rainbows]

The other rampant practice that’s increasingly frowned upon in the security space it the extensive use of Flash.

In the first sentence of the paragraph above the summary, I think you meant "the security space is the extensive use of Flash."

 

[Ashfire]

piratebay329[/url]":4aue8cei]
SSL and encryption are meaningless. anything can be hacked, not matter how many times you see someone says "end to end to end to end encryption"

You're right. Guess I might as well not even bother putting a lock on my front door, then. Someone will just break through a window anyways. No point.

 

[moohbear]

rabish12[/url]":1ecnj31t]

BaritoneGuy[/url]":1ecnj31t]

ryaninlondon[/url]":1ecnj31t]Looks like the kid in the photo may be a vTech coder!

However, in all seriousness, this article doesn't suggest any really sensitive information about the children has been leaked. The fact we can link parents to children isn't exactly scary stuff, nor is the fact the child at once point use vTech connect. The headline made me think hackers infiltrated the children's devices, communicated with them or monetized them in some way, or stole sensitive information from the kids (maybe something scores on a "brain game" or something).

Beyond the sensational headline, the article still raises an important concern for parents. You might want to be careful what kind of information you release about them to the internet, even when you think it's protected.

I think you should probably have used the /s tag as there is no tucking way you could be serious. The PII on the kids, just think about it for a moment. Imagine this in the hands of a pedophile.

VTech you should ashamed of yourselves.

When does shit like this become a crime and people go to jail?

Like I mentioned, it's a hard problem when most legislators don't know anything about the field, let alone care. Even if they weren't, any working legislation would have to mandate external security audits for large organizations collecting sensitive enough information, and the lobbying push against that would almost certainly kill it in the USA.

That and the lack of accountability from the the people responsible for the absence of security. As long as only the corporations are paying fines and none of the people in charge are personally asked to answer, this will continue.

 

[Deleted member 14629]

piratebay329[/url]":2jsm2wzk]

thegrommit[/url]":2jsm2wzk]I'm astounded at the sheer ineptitude of the developers involved. No SSL? Laughable "encryption" of sensitive data? Returning SQL in error messages? :facepalm:

I guess the use of flash as their primary UI in 2015 says it all.

Ostracus[/url]":2jsm2wzk]

When children are breached—inside the massive VTech hack

Wrong in so many ways.

Yeah, that title seems a little inappropriate.

SSL and encryption are meaningless. anything can be hacked, not matter how many times you see someone says "end to end to end to end encryption"

Ah, I see we've found "Mister Doesn't Understand Defense-In-Depth". End-to-end encryption is one part of a larger piece. Securing data at rest matters as well, as well as securing the people that can access the data. As we saw with the Patreon breach, you can minimize the damage with good practices. Sure, a mistake let that data out, but the fact that much of the important stuff we well-encrypted at rest has mitigated the impact. Especially compared to something like this, where the passwords might as well have been plain text.

 

[codejnki]

I remember having to create this account to begin with and felt it was a pretty stupid. We bought my son a VTech camera when his little brother was born so he could take pictures of the new baby. A few months later he asked for help playing one of the games on it. To my surprise I needed to register the camera to unlock the game. It didn't download anything simply flipped a bit somewhere in the camera firmware to confirm that they had gotten my personal info. I was angry when I had to create this account in the first place, now I'm doubly angry.

 

[conan77]

Well, we have a few Vtech toys which were given to us as gifts for our kids as babies. Some of them are "hiding" right now. They have to be the most annoying toys I have ever encountered. Not only are they much noisier than anything else we have, many of them have a sleep mode they will go into if the child moves on to something else. 30 seconds into the sleep mode they wake up again with a loud noise, to bring the child back to them. I guess it's supposed to be so parents will go, "Wow, Johnny really loves that toy, he's *always* playing with it!"

Oh right, the security breach. Well, thankfully never registered any of these toys, but given how the toys are, I'm not surprised.

 

[Incarnate]

Ashfire[/url]":hz9r9zaf]

piratebay329[/url]":hz9r9zaf]
SSL and encryption are meaningless. anything can be hacked, not matter how many times you see someone says "end to end to end to end encryption"

You're right. Guess I might as well not even bother putting a lock on my front door, then. Someone will just break through a window anyways. No point.

There is a point. If someone wants to hack a company, or a system, they will. You could think you have the best security in the world, but all it takes is to trick one user, or have a 0 day vulnerability.


The point is to make it hard enough that they move on to an easier target, just like securing your house may cause a thief to go try at your neighbor's house instead.

 

[IrishMonkee]

An excellent article and glad Ars was able to re-post it, else I wouldn't have known for a few more hours.

But oh man, this just keeps getting better, in a few days this should get even more interesting. I can't wait for the DoJ to start an investigating as ya know, it's all to protect the children. This is what happens when companies cut corners with security. To fall to an SQL injection is down right pathetic, this is 2015..almost 2016. Just chalk another company up on the list of "never have, never will". When will the lawsuits start flying!?!?! The sharks should be smelling money by now.

 

[richten]

I wish the penalty for not protecting the data was strong enough to discourage all those companies from gathering so much data that they don't really need.

 

[Eddis]

And this is why I make the salary I do - because I know how to secure a network.

IT is not a cost center, people.

 

[TheFLP]

I guess this was the last straw for me. Now I want to see a federal agency responding to these breaches with guns and subpoenas.

 

[panckage]

I love these kind of articles with investigative reporting. They are the best thing on ars technica!

 

[smallfussydog]

The lesson is that you should lie through your teeth to services like these.

If I have to register personal information for something non-vital, I just make stuff up. In this case, my child would have been named Firstborn the Inheritor, born around 1607.

 

[Bush Ranger]

You might want to be careful what kind of information you release about them to the internet, even when you think it's protected.

You might want to be careful what kind of information you release to the internet, As things stand at the moment with all these breaches, Data is only protected until some hacker finds a weakness in the way it is secured, and the weakest link in any security is the PC user. Given the right motivation and the right person no system is 100% secure.

 

[RRob]

TheFLP[/url]":56gw4ksk]Now I want to see a federal agency responding to these breaches with guns and subpoenas.

I'm sure they are hopping on a plane to Hong Kong even as we speak.

 

[Lostfanboi]

smallfussydog[/url]":1tv46kr0]The lesson is that you should lie through your teeth to services like these.

If I have to register personal information for something non-vital, I just make stuff up. In this case, my child would have been named Firstborn the Inheritor, born around 1607.

Precisely. Address? Maybe we should all keep using 1600 Pennsylvania Ave NW, Washington, DC 20500 until somebody gets the message that these companies need to be placed in check with their data breaches. Seriously. Why do ANY kids products require registration at all?

 

[RRob]

Lostfanboi[/url]":2xeb80q6]Why do ANY kids products require registration at all?

Safety recall notices.

 

[Deleted member 14629]

RRob[/url]":fij1o3mt]

TheFLP[/url]":fij1o3mt]Now I want to see a federal agency responding to these breaches with guns and subpoenas.

I'm sure they are hopping on a plane to Hong Kong even as we speak.

It might not be guns and subpeonas, but the FTC could ban import of VTech goods.

 

[dragndrop]

Happysin[/url]":24j26gde]. Sure, a mistake let that data out, but the fact that much of the important stuff we well-encrypted at rest has mitigated the impact.

It's mitigated only provided the keys are stored off-the-box, ideally in a HSM, and/or the attacker does not have a chance to execute any code in the server context ( which, when SQL injection is possible, isn't true).

But that is pain for developers, need to rely on some external service to encrypt/decrypt every request, the database with user data all encrypted (and each record with its own key) isn't reporting-friendly, performance issues, real physical HSMs are costly and hard to deploy in cloud fashion, etc.

Of course, SQL injects are fairly bad (dumping the SQL that returned no results seems like debugging feature not disabled in production, does not necessary indicate that SQL Inject is possible ). Force the developers to use some ORM instead of concatenating strings into SQL commands, they will fail elsewhere, and next time the attacker exploits the cool & modern Web API of the application and get all this data decrypted by the app itself, or will get a DB dump AND a key conveniently stored in some text file on the server, or manages to execute a bit of Python/Javascript/C# in the server context, as for extensibility reasons many modern frameworks love to generate code and run it.

But still, I'm actually impressed that a toy vendor hashed original passwords at all, and with MD5 algorithm (not even unsalted MD4, like some reputable software vendors do )

 

[OnThePlusSide]

Wow. Remember when VTech was just a simple little toy that taught kids things like spelling and math? My kids had one and they all used it. This kind of thing makes me kind of glad I don't have small children now.

 

[flunk]

Eddis[/url]":14xzmubp]And this is why I make the salary I do - because I know how to secure a network.

IT is not a cost center, people.

Well IT security is only important if you get caught, right?

Seriously, I'm pretty sure this is what most management types believe.

 

[Doctor Nuke]

This whole story is the reason why people have trust issues when it comes to the interwebs machine.

 

[symphony3]

Windows aren't the only security one can have. My large dog thinks the fingers of slimeballs are tasty, and he welcomes breaches. We've never been completely hacked at home as a result.

edit: AutoCorrect fail

Ashfire[/url]":2ufxpiga]

piratebay329[/url]":2ufxpiga]
SSL and encryption are meaningless. anything can be hacked, not matter how many times you see someone says "end to end to end to end encryption"

You're right. Guess I might as well not even bother putting a lock on my front door, then. Someone will just break through a window anyways. No point.

 

[symphony3]

The Vtech ID is the scary part of the breach. Anyone with that info can connect to a kid on their laptop or other electronic toy. It was a selling point when we bought our daughter's InnoTab. We thought we would have the ability to control who connected with her little messaging program. But now, anyone with the ID has what they need to bypass a parent's supervision & send messages, pictures, and more.

They need to reissue new ID's, at the very least.