Vtech is having quite a dreadful week after a hack that exposed data on 4.8 million adults and 6.4 million children. Not only has its stock priced dropped to a year low, security researchers have uncovered two obvious vulnerabilities in its InnoTab Max tablet for children, and it is declining to answer questions on whether it even has a security team.
Ken Munro, head of consultancy Pen Test Partners, discovered the problems with the InnoTab within a day. It was easy to locate the flaw because it has been known for over two years. The problem is in the processor within the tablet, the Rockchip RK3168, which permitted anyone with access to the device to simply steal data from memory using a freely-available tool called ‘rkflashtool.’
In a blog post, Munro wrote that this bug has been known about for more than two years and that it’s quite lame of Vtech to still be shipping vulnerable tablets that expose children’s data.
He also found a microSD slot on the motherboard, which was utilized to store user data and the filesystem. Munro added that other than providing another easy window to siphon sensitive data, that is also asking for reliability trouble later. Vtech could do a better job with the security of their hardware that stores the data of our children.
There have been several signs that Vtech has not paid sufficient attention to security. First, the actual hack, according to a report by Vice Motherboard, was carried out with an age-old method – SQL injection – that companies should be prepared for. It was storing majority of the data, including children’s chat messages with parents and images, in unencrypted fashion. The Vtech website was not protected with SSL web encryption, and its Android application which parents used to chat with their kids was said to be vulnerable.
The situation seemed so concerning to Congressman Joe Barton and Senator Edward Markey that they have written to the company, requesting what measures it has taken to protect its customers, whether children or their parents. 2.9 million children in the US were affected by the hack, according to a disclosure from Vtech yesterday.
Despite constant requests for comment, Vtech, which had revenues of $1.9 billion earlier this year, is still to say whether it has anyone dedicated to security.