The VTech Data Breach And Exploding Teddy Bears

What's the difference? The former offers no legal recourse, at least for now. Just in case you've been de-sensitized by the recent ongoing barrage of security compromises, the latest data breach involving electronics and educational toy manufacturer VTech is sure to instill new fear in the hearts of parental consumers, putting at stake the one thing they arguably hold nearest and dearest: the safety of their children.

Recently, a fellow UpGuardian was overhead saying the following:

"Damn, I just found out my kid's preschool classes are using IE on Lenovo laptops."

If this doesn't phase you, check out our previous coverage of Lenovo's vulnerability fiasco back in April. While there's no arguing that educational institutions and commercial enterprises need to exercise proper IT security measures when creating environments and/or solutions intended for children's use, the latest Vtech hack further illustrates the need to define the new normal when it comes to application development and architecture. 

Anatomy of the Breach

Our friend and former podcast guest Troy Hunt was first to confirm the breach. Check out our conversation with Troy on Episode 009 of The Gig: Have I Been Pwned? Vice first reached out to him to verify the incident for Motherboard, and upon analyzing the dataset—confirmed the exposure of over 6 million children's records. VTech also later confirmed the breach, stating that hackers compromised its Learning Lodge app store for childern's tablets and Kid Connect mobile app service. Analysis of the compromised data revealed application security flaws ranging from the usage of straight MD5 hashes for encrypting passwords to secret hint questions/answers stored in clear text, among others.

Additionally, lack of crytographic protection in VTech's applications on the protocol level (read: no SSL) makes for a highly compromisable scenario. Check out Troy's in-depth forensic footwork around the VTech data breach here.

It's inevitable that children's educational products—like all consumer products—continue to ride the unavoidable wave of the future. Manufacturers building products in this category need to bake in strong security as an intrinsic characteristic of their offerings, not an afterthought or add-on.  In this day and age, flaws in software/applications can be just as devastating as product manufacturing errors. A consumer application aimed at the children's market with data security flaws is akin to a talking teddy bear known to short-circuit and cause explosions, and with the legal whirlwind building against VTech—the data breach will undoubtedly prove to be severely brand damaging to the firm. The first class action lawsuit aimed at the HK-based electronics and toy manufacturer was filed on December 3rd.

So how do you prevent exploding teddy bears from reaching end-users? You get your teddy bear production assembly line output tested frequently, while at the same time making sure best practices and visibility are maintained and enforced across teams. UpGuard's platform for configuration integrity monitoring ensures that the software delivery pipeline is free from vulnerabilities front-to-back and that software errors never reach end-users—whether it be you, your kids,or the grandparents. Try it today for free—10 nodes are on us, forever. 

Source(s):

https://www.vtech.com/en/press_release/2015/faq-about-data-breach-on-vtech-learning-lodge/

http://www.theguardian.com/technology/2015/nov/30/vtech-toys-hack-private-data-parents-children

http://www.troyhunt.com/2015/11/when-children-are-breached-inside.html