A Security Analysis of the VTech Data Exposure
Hacker Goes Directly to Media to Expose VTech Security Issues
The Hong Kong-based toy company, VTech, recently experienced a data breach that exposed the customer data of 6.2 million children and 4.9 million adults across 13 different countries, with the bulk from the U.S.. VTech has a number of electronic toys, some which are using the Internet, such as the children’s tablet, the Innotab.
The hacker that exposed the VTech security issues gave an exclusive interview and data dump to Vice’s ‘Motherboard’ website. No credit card or other financial information was exposed, but a ton of private information about children’s names, date of birth, and gender were exposed.
The hacker explained to Vice that it was “morally wrong” to expose data of children to the underworld, and was afraid VTech would try and bury the security issues the unnamed hacker discovered without help from the press. The hacker said they had no plans to monetize the exfiltrated data, and went to the media to highlight the insecure nature of VTech, and how the company was retaining the personally-identifiable information (PII) of customers’ children, as well as extensive chat logs.
VTech, in a December 3 FAQ post about the data exposure, describes the breach and what was affected as the following:
We can confirm that on November 14 HKT an unauthorized party accessed VTech customer data on our Learning Lodge app store customer database and Kid Connect servers. Learning Lodge allows our customers to download apps, learning games, e-books and other educational content to their VTech products. Kid Connect allows parents using a smartphone app to chat with their kids using a VTech tablet… We have temporarily suspended the Learning Lodge website, Kid Connect and a number of other sites to ensure that our customer data is safe from any further attacks.
In turn, VTech has shut down access to 13 websites that accessed the database that was exposed. The hacker told Motherboard/Vice that the attack was conducted using an SQL injection attack, was rather simple, and could have been pulled off by anyone.
“This time the hacker was ethical enough to come forward information about the threat, as opposed to monetizing the fruits of an exploited vulnerability on the black market,” said Alex Heid, Chief of Research, SecurityScorecard. “Current customers of VTech Kids Connect who are afraid they may have been impacted by this breach are encouraged to change their passwords in the event they reuse the same password for multiple accounts, and make sure to do the same with any children’s accounts.”
SecurityScorecard Dives in to VTech’s Vulnerabilities & Security Issues
Very few details were provided in the Vice article that indicated the point of compromise, so SecurityScorecard’s Research & Development team took a deeper look at the external vulnerability surface of VTech to see what was readily visible for attackers. Here is what we discovered in our ThreatMarket™ security intelligence engine:
Web Application Security Issues
The digital footprint of VTech is large, and the international corporation makes use of many legacy systems, such as ColdFusion on much of their public web presence. For example, VTechKids.com, the website that sells the Kid Connect devices is written in ColdFusion and was discoverable via Google dorking. Google dorking is an advanced search technique that attackers use to discover confidential or other documented or website material that was unintentionally placed on the larger Internet. SecurityScorecard has automated these techniques for companies to help them gain more precise visibility into security risk.
Mobile App Issues
There is a mobile application for VTech KidConnect for Android. Mobile application API vulnerabilities are a rising trend. It is possible that a SQL injection within the app to app communications was exploited by the attacker. The revelation that chat logs and pictures were available indicates the attacker had access to a database that was being used by this app. Whether or not the attacker exploited an SQL injection in the mobile app’s API communication, or if they used a different web application to pivot into the KidsConnect database is unknown. What is confirmed is that the chat logs and photos associated with the use of this app were in the breach archive provided to Motherboard/Vice.
Network Security Issues
The Network Security surface for VTechKids.com is very exposed; ThreatMarket sensors detected the following:
- Accessible Intranet Portals
- Accessible Administration Portals
- Accessible Cisco Routers
- VOIP Phones with International Dialing Capabilities & No Authentication
Here are screenshots of what attackers could find:
Publicly-Exposed Network Resources
Here is a VTech phone/VoIP conferencing page we discovered:
Here is another internal VTech website we discovered non-intrusively:
The specific point of entry that the hacker leveraged to access the Kid Connect database has most likely been discovered and patched, either through disclosure from the attacker or an internal forensic analysis. However, the surface area of VTech is so large and scattered, it is likely been attacked before.
Companies are encouraged to know their digital footprint comprehensively, and keep a solid inventory of their public Internet real estate. With the use of cloud hosting solutions as an enterprise reality, the responsibility of the security team extends beyond their own ASN IP address range.