VTech was the victim of huge breach a few months ago which in full disclosure exposed over 6 million people’s PII and account information. What’s worse is that a large portion of that information was children, most around 5 years old. On top of that it was revealed later that VTech was storing chat logs and photos from their ‘toys’ on their servers which was also downloaded. This not just another breach but when children are involved this changes things in a big way. Especially when the data set not only identifies the children but ties them to the parents their cities, homes, and all their personal information… along with photos.
Taking a step back the VTech breach shows how unprepared we are for the Internet of Things wave and how little customers, regulators and the legal system cares about enforcing strong security practices. When you read through the breach details and how VTech’s systems were built you will see quickly that every single best practice, common sense security approach was disregarded for speed of development and ease of maintenance. Some of the uncovered items just make you bang your head against the wall and scream ‘Why!?!?’. Beyond stupid.
You can read a very good breakdown of the breach here – http://www.troyhunt.com/2015/11/when-children-are-breached-inside.html
Here’s my biggest head shaker –
…there is no SSL anywhere. All communications are over unencrypted connections including when passwords, parent’s details and sensitive information about kids is transmitted. These days, we’re well beyond the point of arguing this is ok – it’s not. Those passwords will match many of the parent’s other accounts and they deserve to be properly protected in transit.\\
Of course once the passwords hit the database we know they’re protected with nothing more than a straight MD5 hash which is so close to useless for anything but very strong passwords (which people rarely create), they may as well have not even bothered. The kids’ passwords are just plain text
In a follow-up update they revealed photos of the kids were accessible and downloaded you see those details here – http://motherboard.vice.com/en_uk/read/hacker-obtained-childrens-headshots-and-chatlogs-from-toymaker-vtech
Beyond the details of the breach which is a fascinating read both as a consumer and as a security professional I want to focus on VTech’s response post-breach. All I can say is VTech’s leadership has bodily parts made of iron to thumb their nose at everyone, they have no clue how to secure a lunch bag or they are pushing the limits to force action. Probably a mix of the first two I’d say.
In the wake of the breach VTech has decided that instead of turning around and being a security conscious company, pushing a PR campaign to lead the way to usher in an IoT security revolution and doing what needs to be done, VTech decides to try to absolve themselves from being lazy and incompetent.
VTech’s strategy is to try to hide behind the all-powerful Terms and Conditions and absolve themselves from responsibility from anything they build. That seems to be the go-to legal recourse for companies is to update the T&Cs to let them do what they want. Here’s the section in question, I highlighted the good parts.
Limitation of Liability YOU ACKNOWLEDGE AND AGREE THAT YOU ASSUME FULL RESPONSIBILITY FOR YOUR USE OF THE SITE AND ANY SOFTWARE OR FIRMWARE DOWNLOADED THEREFROM. YOU ACKNOWLEDGE AND AGREE THAT ANY INFORMATION YOU SEND OR RECEIVE DURING YOUR USE OF THE SITE MAY NOT BE SECURE AND MAY BE INTERCEPTED OR LATER ACQUIRED BY UNAUTHORIZED PARTIES. YOU ACKNOWLEDGE AND AGREE THAT YOUR USE OF THE SITE AND ANY SOFTWARE OR FIRMWARE DOWNLOADED THEREFROM IS AT YOUR OWN RISK. RECOGNIZING SUCH, YOU UNDERSTAND AND AGREE THAT, TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, NEITHER VTECH NOR ITS SUPPLIERS, LICENSORS, PARENT, SUBSIDIARIES, AFFILIATES, DIRECTORS, OFFICERS, AGENTS, CO-BRANDERS, OTHER PARTNERS, OR EMPLOYEES WILL BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY OR OTHER DAMAGES OF ANY KIND, INCLUDING WITHOUT LIMITATION DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER TANGIBLE OR INTANGIBLE LOSSES OR ANY OTHER DAMAGES OR LOSS BASED ON CONTRACT, TORT, STRICT LIABILITY OR ANY OTHER THEORY (EVEN IF VTECH HAD BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES), RESULTING FROM THE SITE OR SOFTWARE OR FIRMWARE DOWNLOADED THEREFROM; THE USE OR THE INABILITY TO USE THE SITE; UNAUTHORIZED ACCESS TO OR ALTERATION OR DESTRUCTION OR DELETION OF YOUR TRANSMISSIONS OR DATA OR DEVICE; STATEMENTS OR CONDUCT OFANY THIRD PARTY ON THE SITE; ANY ACTIONS WE TAKE OR FAIL TO TAKE AS A RESULT OF COMMUNICATIONS YOU SEND TO US; HUMAN ERRORS; TECHNICAL MALFUNCTIONS;FAILURES, INCLUDING PUBLIC UTILITY OR TELEPHONE OR INTERNET OUTAGES; OMISSIONS, INTERRUPTIONS, LATENCY, DELETIONS OR DEFECTS OF ANY DEVICE OR NETWOrK,PROVIDERS, OR SOFTWARE; ANY INJURY OR DAMAGE TO COMPUTER EQUIPMENT; INABILITY TO FULLY ACCESS THE SITE OR ANY OTHER SITE; THEFT, TAMPERING, DESTRUCTION, OR UNAUTHORIZED ACCESS TO, OR ALTERATION OF, ENTRIES, IMAGES OR OTHER CONTENT OF ANY KIND; TYPOGRAPHICAL, PRINTING OR OTHER ERRORS, OR ANY COMBINATION THEREOF; OR ANY OTHER MATTER RELATING TO THE SITE OR THE SOFTWARE OR FIRMWARE DOWNLOADED THEREFROM. NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED HEREIN, VTECH’S LIABILITY TO YOU FOR ANY CAUSE WHATSOEVER AND REGARDLESS OF THE FORM OF THE ACTION, WILL AT ALL TIMES BE LIMITED TO THE AMOUNT PAID, IF ANY, BY YOU TO PURCHASE A VTECH DEVICE OR SOFTWARE.
In a legal sense they are trying to wash their hands of basically everything they do. VTech thinks there is no responsibility to their customer’s security, privacy, security, protection from the data and images they collect and store. They cannot do this and I hope the legal system and more impactful their customers realize their complete lack of security mindset for their data and bail on them. This is absurd but what’s more absurd is that there are no regulations, laws or other governance arm to monitor and hold companies accountable. They built their products with zero security and people bought them. What can anyone do? It’s the risk they take because no one is forcing protection.
Do you want more warm fuzzies? VTech and their security-lacking products are moving in the home monitoring market. Sleep well.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.