Have you bought a VTech gadget for your kids, such as the VTech Flip e-reader, and set them up with a user account? If so, you might want to go to “Have I Been Pwned?” and check to see if your user information is there. It turns out that the well-known manufacturer of toy computers for kids also has toy security. Troy Hunt, founder of “Have I Been Pwned?,” reports that, thanks to a security breach on November 14, personal details of parents and children who registered their VTech devices with the manufacturer have been leaked—four point eight million of them. That’s slightly more than the entire population of Boston.
Hunt goes into a great deal of detail about exactly how the breached information was collected and what kinds of facts make it up. He also notes that VTech has remarkably poor security for a mobile device manufacturer—it doesn’t use https to secure its pages, it uses an incredibly simple MD5 hash (which provides almost no protection at all) on its passwords, and its interface is replete with obsolete and insecure Flash applications.
And Hunt notes that some of the security flaws are so inherent in the system that there’s no easy way to patch them:
Now here’s where I need to be intentionally vague because despite their assurances that their system is now secure, they still have gaping holes that allow every kid to be matched with every parent. The details of this have been passed on to VTech and I’ll say this much here: there’s no simple fix. The flaws are fundamental and the recommendation I’ve passed on is to take it offline ASAP until they can fix it properly. You just can’t take chances with other people’s data in this way, especially not when they’re kids.
He adds that the average age of kids whose’ accounts were compromised is five years old.
If you check your user information and it turns out to have been compromised, I’d suggest changing your password right away, and also changing it anywhere else you use the same password. And if you use the same password hint questions anywhere else, it might be a good idea to change them there, too. VTech says that no personally-identifying information such as social security numbers or financial information such as credit card numbers was stolen, but still, you can’t be too careful.
With the number of breaches that have been happening lately, it’s becoming clear that data security is a significant problem. And this VTech breach is in some ways worse. VTech gadgets are “just” toys, after all. They aren’t “real” computers. So maybe the manufacturer thought it didn’t have to go to the same sort of trouble to protect user information as it might with a “real” computer. If so, that was a serious mistake—very possibly even criminal negligence. If the breach is as Hunt describes, the company needs to have some strips taken off its hide.
The worst thing about these breaches is the way there’s nothing you as a user can do to avoid them. After all, you give your private data to these companies in good faith—companies that are, as far as you know, reputable and reliable, or you wouldn’t trust them with that kind of information. But as this VTech breach proves, you don’t necessarily have any way of knowing whether the inner workings reflect the façade. And you—and, for that matter, I—don’t have any way of knowing, even now, just how many companies we’ve trusted our information to are secretly rotten to the core with security holes.
Maybe we need some kind of independent certifying authority, authorized to conduct external security audits of tech companies to make sure their systems are secure. Maybe the government needs to set one up, or maybe there might be a voluntary one that doesn’t have any binding authority but offers seals of approval like the “real” dairy seal. Either way, as this VTech matter proves, it’s increasingly obvious that we can’t trust a lot of companies not to cut corners on their own security unless someone holds their feet to the fire. And we don’t have any way of knowing which companies are trustworthy and which aren’t until some enterprising hacker perpetrates the next breach—and by then, already it’s too late.
(Found via BoingBoing and Ars Technica.)
