Kid’s electronic toy company VTech is now at the centre of a storm over a breach of its user database, which worryingly included the details of 3 million child profiles. In a recent statement, VTech asserts that children's accounts contained only the gender, birthday and name of the child. In addition to those details though, were 1.2 million Kid Connect parent accounts, an app which allows parents to communicate with their kids over VTech connected devices.These accounts contain profile pictures as well as certain chat logs, which are kept on VTech servers for 30 days. The completion of an ongoing investigation by VTech is expected to be able to confirm whether or not any pictures of children were taken.
The technology behind this hack is not so different from others we’ve seen in recent times. Using SQL injection to exploit a vulnerable web database, and using that entry point to access other network resources.
This nature of this particular breach raises a number of concerns about how seriously VTech has taken the security of its own systems and more importantly its customer’s data. Firstly, they were unaware that they were being hacked. Technology website Motherboard were contacted by the alleged hacker who gave them details of what had been breached. Motherboard then contacted VTech for a response.
“On November 14 [Hong Kong Time] an unauthorized party accessed VTech customer data on our Learning Lodge app store customer database,” Grace Pang, a VTech spokesperson, told Motherboard in an email. “We were not aware of this unauthorized access until you alerted us.”
This suggests that VTech did not have any way of monitoring their systems for intrusions or any kind of technology in place to alert them that something might be wrong.
In terms of the data itself, much was stored in plain text. Some passwords were hashed with MD5 but this is considered fairly easy to crack with the right tools. It actually seems that VTech doesn’t use SSL web encryption anywhere, and transmits data such as passwords completely unprotected.
Finally, it seems that the SQL injection enabled the attacker to get “root access” to the database. Whilst there aren’t more details provided on how this was done, the default settings for master accounts would need to be changed in order to make it harder for an attacker to get full control of a SQL database. It is possible to limit remote access capabilities, change the username or secure access with SSH, it seems unlikely that any of these happened.
Even if the settings of the SQL server weren’t changed, a solution to store the root credentials away in a password vault and only give access through a secured and monitored remote connection could’ve prevented the worries of more than 6 million parents and the tidal wave of negative publicity that’s coming at VTech.
You can find out more about how WALLIX helps secure and manage privileged accounts by following the link below.