What's the difference? The former offers no legal recourse, at least for now. Just in case you've been de-sensitized by the recent ongoing barrage of security compromises, the latest data breach involving electronics and educational toy manufacturer VTech is sure to instill new fear in the hearts of parental consumers, putting at stake the one thing they arguably hold nearest and dearest: the safety of their children.
Recently, a fellow UpGuardian was overhead saying the following:
"Damn, I just found out my kid's preschool classes are using IE on Lenovo laptops."
If this doesn't phase you, check out our previous coverage of Lenovo's vulnerability fiasco back in April. While there's no arguing that educational institutions and commercial enterprises need to exercise proper IT security measures when creating environments and/or solutions intended for children's use, the latest Vtech hack further illustrates the need to define the new normal when it comes to application development and architecture.
Anatomy of the Breach
Our friend and former podcast guest Troy Hunt was first to confirm the breach. Check out our conversation with Troy on Episode 009 of The Gig: Have I Been Pwned? Vice first reached out to him to verify the incident for Motherboard, and upon analyzing the dataset—confirmed the exposure of over 6 million children's records. VTech also later confirmed the breach, stating that hackers compromised its Learning Lodge app store for childern's tablets and Kid Connect mobile app service. Analysis of the compromised data revealed application security flaws ranging from the usage of straight MD5 hashes for encrypting passwords to secret hint questions/answers stored in clear text, among others.
The more important and difficult question is not why, but how—that is, how can companies not just survive, but thrive in a landscape of digital threats?
Additionally, lack of crytographic protection in VTech's applications on the protocol level (read: no SSL) makes for a highly compromisable scenario. Check out Troy's in-depth forensic footwork around the VTech data breach here.
It's inevitable that children's educational products—like all consumer products—continue to ride the unavoidable wave of the future. Manufacturers building products in this category need to bake in strong security as an intrinsic characteristic of their offerings, not an afterthought or add-on. In this day and age, flaws in software/applications can be just as devastating as product manufacturing errors. A consumer application aimed at the children's market with data security flaws is akin to a talking teddy bear known to short-circuit and cause explosions, and with the legal whirlwind building against VTech—the data breach will undoubtedly prove to be severely brand damaging to the firm. The first class action lawsuit aimed at the HK-based electronics and toy manufacturer was filed on December 3rd.
So how do you prevent exploding teddy bears from reaching end-users? You get your teddy bear production assembly line output tested frequently, while at the same time making sure best practices and visibility are maintained and enforced across teams. UpGuard's platform for configuration integrity monitoring ensures that the software delivery pipeline is free from vulnerabilities front-to-back and that software errors never reach end-users—whether it be you, your kids,or the grandparents. Try it today for free—10 nodes are on us, forever.
How CSTAR Works What's In the Website Risk Grader? Understanding Risk in the 21st Century
All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Blog >
The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Blog >
And as we enter 2016, the risk of data breaches in particular threatens to hamper business innovation.
Read Blog >