VTech fondleslabs for kids 'still vulnerable' despite sanctions

Researchers claim flaws remain more than two years later

By John Leyden


New InnoTab child learning devices still have the same security flaw first found by researchers at Pen Test Partners two years ago.

The issues persist even after manufacturer VTech was fined $650,000 by US watchdogs at the Federal Trade Commission (FTC) via a ruling published earlier this week. The settlement deal came after the FTC scolded the children's toymaker for both unnecessarily collecting kids' personal information and (worse) failing to protect this sensitive data before a massive breach in November 2015.

As well as paying the fine, VTech agreed to apply privacy and security requirements so that it complied with the Children's Online Privacy Protection Act (COPPA) and the FTC Act, as previously reported.

The 2015 hack on VTech's online services led to the theft of sensitive customer information about millions of children and parents.

Tests by UK security consultancy Pen Test Partners at the time found it was possible to lift data from its InnoTab tablet, as El Reg reported at the time.

The same tests on a newly purchased InnoTab reveal that the same hack is still possible and nothing had been done to address the problem, according to Pen Test Partners' Ken Munro.

The FTC settlement resulted in VTech promising to improve its security. More specifically the deal means that VTech is "required to implement a comprehensive data security program, which will be subject to independent audits for 20 years" as well as "misrepresenting its security and privacy practices".

In response to queries from El Reg, VTech said it was working hard to fulfil its security obligations. It said that the "criminal cyber attack on VTech databases should not be compared with the physical dismantling of one of our products" since they are "fundamentally different acts" before stating that it takes security in general seriously.

While it is not appropriate to share the details, we updated our data security policy and adopted rigorous measures to strengthen the protection of our customers' data following the cyber attack in 2015.

We can assure you that we take the commitment on cyber security we gave the FTC last week very seriously indeed. VTech is committed to and will progressively execute data security improvements so that customers of VTech products and services can rest assured the data they entrust with VTech is well protected.

Munro wasn't impressed by what he described as a "carefully caged non-answer". "It doesn't deal with the hardware security issues we raised," he added. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Healthcare billing biz AccuDoc 'fesses up to breach that blabbed 2.65m people's data

Names, addresses, social security numbers exposed

Hands up if you didn't lose data in the Typeform breach

And keep your hands up if you knew the lost data was – eek! – unencrypted

Don't make us pay compensation for employee data breach, Morrisons begs UK court

Appeal beaks ponder first-of-a-kind data protection case

Biz! Formerly! Known! As! Yahoo! Settles! Data! Breach! Cases! To! The! Tune! Of! $47m!

Didja think we'd get rid of the exclaims just 'cos you're Altaba now?

Hi-de-Hack! Redcoats red-faced as Butlin's holiday camp admits data breach hit 34,000

Updated Staff opened phishing email

Missed patch caused Equifax data breach

Apache Struts was popped, but company had at least TWO MONTHS to fix it

Uber quits GitHub for in-house code after 2016 data breach

Code trove wasn't to blame: Uber didn’t have multifactor authentication on repos that included AWS credentials

Adidas US breach may have exposed millions of customers' personal info

Three stripes and you're out

SaaSy HR outfit PageUp reports ‘unauthorised activity’ and data breach

Supermarket chain warns job-seekers from last 18 months. Bank, telco also worry

Princeton research team hunting down IoT security blunders

Taming Things leaky, sneaky, or creepy