And once again, the messy technical flaws of a company are being exposed with the recent VTech hack – it’s really not looking good for them with account passwords ‘secured’ with unsalted md5 hashes and all kinds of private information being leaked includes parents addresses, kids birthdays, genders, secret answers and associated meta-data (IP addresses, download histories and more).
The attack originally claimed to have leaked only around 220,000 records – but it turns out to be way worse than that. 4.8 million parents and 6.37 million children – including 1.2 million users of its KidConnect messaging service.
Names, home and email addresses, security questions and answers, and more information on millions of families worldwide have been swiped from a top toymaker’s database.
And the birthdays, names, and genders of nearly a quarter of a million kiddies have been accessed, too.
Chinese electronics giant VTech today admitted its systems were compromised on November 14. Miscreants were able to extract customer records from its Learning Lodge app store, which provides downloads of games, books, music and other stuff for VTech toys. The Hong Kong-based biz specializes in making computer-like gizmos for preschool kids to play with, settling them in for a lifetime of fondleslab smearing and internet addiction.
Computer security bloke Troy Hunt says he has seen a copy of the swiped information, and reckons he found “4.8 million unique customer email addresses,” suggesting that many accounts have been raided by hackers.
He also said people’s account passwords were one-way encrypted using MD5, a particularly weak hashing algorithm, meaning simple passwords can be easily cracked and revealed. No salting was used, so off-the-shelf rainbow tables can be used to divulge rudimentary passwords like “children15” or “welcome81”.
So yah pretty serious stuff, with the compromises of KidConnect and Learning Lodge holding some fairly sensitive information on both parents and children. Even though chats, images and audio are encrypted, it turns out they aren’t encrypted very well using a fairly weak algorithm AND weak keys. For example in the md5 hash for the filename they use a hash of the KidConnect username, in uppercase, and a constant value – ‘vtech’ or ‘vtechvtech’.
And the data itself is encrypted with the current time + a PRNG = not a very securely encrypted file.
Toymaker VTech has admitted that millions of kiddies’ online profiles were left exposed to hackers – much higher than the 220,000 first feared.
On Tuesday, the Hong Kong biz confessed in an updated FAQ page that it did not properly secure personal information on 4.8 million parents and 6.37 million children – including 1.2 million users of its KidConnect messaging service.
That admission comes four days after it emerged that a hacker had raided the entertainment company’s customer database.
After families buy VTech’s computer-like toys, which are aimed at preschool tykes, they are encouraged to sign up for online accounts to download apps, music, books and more to the gizmos.
That requires handing over sensitive information, such as parents’ names, email addresses and home addresses, and the birthdays, names, and genders of youngsters. All this data – plus MD5-hashed passwords, secret answers to personal questions for password resets, IP addresses, and download histories – was snatched by an intruder who bypassed VTech’s poor online security.
“Regretfully our database was not as secure as it should have been,” VTech’s FAQ admitted.
So yah, quite a mess for them. They are vehemently claiming no credit card details or social security numbers were leaked – because well that stuff makes you liable.
But everything else was leaked, and honestly – along with it one of the worst crypto implementations I’ve ever seen. If you really want to have a laugh, check it out here:
At the weekend I reversed the vtech kidconnect app and found this. Not surprised at the latest developments at all. pic.twitter.com/ghrlTPZHNo
— slipstream/RoL (@TheWack0lian) November 30, 2015
Seriously.
Source: The Register
The data hasn’t been leaked.