Yet more VTech vulnerabilites exposed

News by Max Metzger

The security consultancy Pen Test Partners has found major security vulnerabilities in VTech devices, only adding to the bill of mistakes that the toy company has made over the past weeks.

Not a week after a headline making breach and the electronic toymaker VTech has been caught out again.

This time, Pen Test Partners has rubbished VTech's Innotab slabs. The slab is VTech's tablet for kids who can use the tablet to play games and read, much like an iPad.

But when tested, Pen Test Partners found that they could crack the device all too easily. The slab is based on the RockChip CPU which the partners have previously cracked. The RockChip lets new firmware be written to it if the device is crashed. It also lets you read data from that device.

It's also easy to dump the data partition on the device, allowing anyone with the will the ability to steal the valuable data contained therein.

It doesn't end there. If one were to take the slab apart it would be all too easy for them to pry off a removable microSD card that stores both the user and filesystem data.

The slab runs Android 4.1.1. which Ken Munro of Pen Test Partners did not seem too enthusiastic about in a blog post announcing the vulnerability.

“We'd seen VTech were releasing some Android tablets about a year ago. We'd been meaning to have a look at them for ages,” Munro told “The VTech breach reminded us.” 

And it wasn't hard to do, said Munro: “We were looking at the device for about five minutes before we realised we could get into it.”

VTech's name has stayed in the headlines over the past week after a massive breach that left millions of its customers' details exposed. The attackers made off with the details of 6.5 million children and adults which including photos, names, birthdays, chat logs, passwords, secret questions and answers.  

The other revelation beyond the massive scale of the hack and the theft of children's data was the astounding weakness of VTech's security. At the time, security researcher Troy Hunt spoke to SC, commenting on the data he had seen that was taken in the breach: "The VTech systems I saw were very old with most of the technology dating back half a decade or more”, he said, adding that VTech “just didn't maintain the systems as technology evolved and new threats emerged.”

The theft of children's data certainly sounds heinous but what is the real risk here? Munro said, “We tend to think of cyber-crime as primarily financially motivated [but] there's plenty of people out there who will use that data.”

To remedy the wave of unfortunate events that has hit VTech over the last few weeks, Munro told SC that the toy company not only has to fix the issue but as “a big brand, needs to tell the world how they're going to deal with this”. 

VTech, says Munro has to be original at this point, to do something unique that other companies who have befallen similar fates have not. “Set up a programme teaching kids security,” he said, or teach adults how to do the same thing for their kids. 

In essence, be proactive, as opposed to merely reactive, about mending this problem.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews