Are you a parent? Have you ever made the mental calculation, “My kids want ToyX, but I can only afford knockoff ToyY, and they’re probably too young to tell the difference?” And to be fair, I’m sure that your two-year old was just as happy getting the $5.00 “Space Wars” R2-D2 knockoff that looked like a blue-and-silver buttplug.
Similarly, your child may not be able to tell the difference between a $1000 iPad and a $50 VTech “InnoTab 3.” Here’s some bad news, however: hackers definitely can.
VTech manufactures low-cost tablets designed for the children and educational market. Since its 2015, each of their crap products can be connected to the web, allowing children and parents to register on their website and download apps. According to security researcher Troy Hunt, this registration data has been comprehensively breached, exposing the names, addresses, emails, and phone number of about 4.8 million individuals.
Added to this cheerful fact, it looks like VTech’s security was beyond negligent — beyond comically incompetent, even. For starters, they stored passwords using an MD5 hash. This sounds powerful and hard-to-break, but in fact MD5 is extremely busted, cryptographically. Guarding your passwords using an MD5 hash is like guarding the crown jewels with a luggage lock. It’s just not adequate.
Here’s where it gets worse. VTech allows children to set up their own logins, which are associated with their parents’ accounts. What this means is that, looking at this leaked data, a hacker can pretty easily figure out a child’s name, who their mom or dad is, and when they were born.
Lastly, and tragically, the manufacturer still hasn’t fixed any of the flaws that exist over its various sites. Secure connections do not exist on any of its websites, meaning that it would be trivial to perform a man-in-the-middle attack and capture even more sensitive data. The site is also vulnerable to SQL injection, and most of its assets use an ancient version of Flash.
To conclude: If you happen to have an Innotab 3, or any other internet enabled VTech product, turn its connection off right now. Optionally, you may also stamp on it several times, burn it, and bury the ashes where no one can find them.