Tuesday, 08 December 2015 09:49

When will enough be enough when it comes to IoT security? VTech and Hello Barbie

Written by

Reading time is around minutes.

When things are not quite right you always hope for that “ah-ha” moment when everyone realizes the issue and will actually begin to work on a solution. For connected devices we have been hoping for that since they were first introduced and are still waiting for the industry to have that moment. We thought that perhaps it would happen when a host of connected cameras were compromised allowing people to spy on and even talk to children that were being monitored by them. However, while the hole was covered up with tape (not really fixed) there was no general outcry to have these connected devices secure properly.

Now we have another, and more serious breach of connected devices. Once again children are the victims here. The bad guys managed to compromise VTech’s systems and had their way with the data base servers. They were able to get away with a massive amount of records; both adults and children. According to VTech’s FAQ page about the breach a total of 4,854,209 Adult/Parent accounts were taken and an even more astonishing 6,368,509 child profiles were affected. Once the hackers compromised the VTech Learning Lodge they were able to gain access to the Kid Connect servers. As of this writing VTech has shut down the Learning Lodge and the Kid Connect network.

To make matters worse, VTech was not aware of the breach until a journalist called them and asked them about an incident on November 23rd. VTech performed an investigation and discovered that the breach might have started as far back as November 14th. VTech has been very upfront about the breach, but that does not change the fact that it happened and a large amount of data was stolen. One statement that was more than a little disconcerting was “Kid profiles unlike account profiles only include name, gender and birthdate” It is not hard to connect a child to a parent and considering the fact that photos, chat logs and audio files were possibly stolen you now have an even larger issue. VTech states that all passwords, photos, chat logs and audio files are encrypted with AES128, but this encryption has an exploitable flaw that can be used to decrypt these files so that is no guarantee of security. About the only good news from this breach is that, so far, no credit5 cards, drivers’ licenses or Social Security Numbers have been compromised.

But wait, there’s more! It seems that another childrens’ toy, Hello Barbie is so full of security holes and bad code that Bluebox security actually said “It shipped with unused code that serves no function but increases the overall attack surface”. The list of things wrong with this toy at launch are simply unacceptable including connecting to ANY open WiFi network that has the word “Barbie” in it. The back end cloud servers were susceptible to Poodle attacks and the list goes on. ToyTalk (the manufacturer) has been quick to respond to the disclosure. They have made some improvements on the devices, but not everything has been patched. A quick check of the site also finds that they are playing the semantics game. In one place they claim that audio is transferred using “industry-standard TLS (transport layer security) protocol”, but they fail to mention which version. TLS 1 and 2 are vulnerable to compromise so knowing the version here is important.

So we have two children’s’ devices/services here. One has been compromised (and seriously) the other is very open to compromise. Yet nothing seems to be getting done to ensure proper security to all of these connected devices. They are still just as open and vulnerable as they were three years ago. The technology in use and the development seem to be more about what is available and cheap rather than any attempt to secure your (or you child’s) information. This needs to change and now. Bluebox’s own research points that out very clearly “All of the issues discovered highlighted point to the need for more secure app development, as well as the need for integrating self-defending capabilities into not only stand-alone mobile apps, but also the apps that power IoT devices like Hello Barbie. Ultimately, this research demonstrates the security of the mobile apps associated with IoT devices must be a higher priority.” We could not agree more, but there has to be a push back from the market before anything will change. After all if people still buy this stuff like there is no tomorrow why would anyone change? We are wondering when the market will have had enough and demand more security from the makers of IoT devices in general and if it will be far too late at that point to make a difference.

Read 3630 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.