VTech fondleslabs for kids 'still vulnerable' despite sanctions

Researchers claim flaws remain more than two years later

By John Leyden

Posted in Security, 18th January 2018 09:02 GMT

New InnoTab child learning devices still have the same security flaw first found by researchers at Pen Test Partners two years ago.

The issues persist even after manufacturer VTech was fined $650,000 by US watchdogs at the Federal Trade Commission (FTC) via a ruling published earlier this week. The settlement deal came after the FTC scolded the children's toymaker for both unnecessarily collecting kids' personal information and (worse) failing to protect this sensitive data before a massive breach in November 2015.

As well as paying the fine, VTech agreed to apply privacy and security requirements so that it complied with the Children's Online Privacy Protection Act (COPPA) and the FTC Act, as previously reported.

The 2015 hack on VTech's online services led to the theft of sensitive customer information about millions of children and parents.

Tests by UK security consultancy Pen Test Partners at the time found it was possible to lift data from its InnoTab tablet, as El Reg reported at the time.

The same tests on a newly purchased InnoTab reveal that the same hack is still possible and nothing had been done to address the problem, according to Pen Test Partners' Ken Munro.

The FTC settlement resulted in VTech promising to improve its security. More specifically the deal means that VTech is "required to implement a comprehensive data security program, which will be subject to independent audits for 20 years" as well as "misrepresenting its security and privacy practices".

In response to queries from El Reg, VTech said it was working hard to fulfil its security obligations. It said that the "criminal cyber attack on VTech databases should not be compared with the physical dismantling of one of our products" since they are "fundamentally different acts" before stating that it takes security in general seriously.

While it is not appropriate to share the details, we updated our data security policy and adopted rigorous measures to strengthen the protection of our customers' data following the cyber attack in 2015.

We can assure you that we take the commitment on cyber security we gave the FTC last week very seriously indeed. VTech is committed to and will progressively execute data security improvements so that customers of VTech products and services can rest assured the data they entrust with VTech is well protected.

Munro wasn't impressed by what he described as a "carefully caged non-answer". "It doesn't deal with the hardware security issues we raised," he added. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Hey, IoT vendors. When a paediatric nurse tells you to fix security, you definitely screwed up

VB2017 Jelena Milosevic says what we're all thinking

Seagate SNAFU sees Cisco servers primed for data loss

Disks shipped with the wrong write cache settings and found their way into UCS boxen

Ofcom fines Three £1.9m over vulnerability in emergency call handling

999 requests funnelled through single data centre

£185k in fines rain down on dodgy PIs and claims firm for illegal data slurp

Adjust for THIS loss, says court as it hands out record penalty

Elon Musk's Tesla burns $675.3m in largest ever quarterly loss

$250k went into orbit with that Roadster

Dell makes a loss, but the trend lines look promising for profits

Server business screamed ahead in Q3, PCs grew, storage stalled and debt is down

Salesforce CEO Marc Benioff tells Reg data loss 'minimal'

Not because Salesforce is an ops genius but because sales people can sleep at night

If we must have an IoT bog roll holder, can we at least make it secure?

MWC It's the internet of sh*tty things, says Intel Security's Raj Samani

KCL staff offered emotional support, clergy chat to help get over data loss

Exclusive #PrayForKCL

Terror law expert to UK.gov: Why backdoors when there's so much other data to slurp?

We leave huge digital paper trails, but biz can still do more