It also is cooperating with law enforcement agencies worldwide to investigate the incident and has temporarily shut down several websites, its Learning Lodge app store, and its Kids Connect service, which is similar to WhatsApp.
Mandiant will lead the forensic investigation into the breach, review all aspects of how VTech handles customer information, and define how VTech can better secure user data using its Incident Response Services.
VTech has taken heat for being lackadaisical about security.
“There have been multiple industry breaches that could have served as a warning to evaluate their defenses,” asserted Kymberlee Price, senior director of researcher operations atBugcrowd, pointing toRisk Based Security‘s quarterly Data Breach Intelligence report, which said there were more than 3,000 data breaches worldwide in the first three quarters of 2015.
VTech repeatedly has pointed out that it uses AES-128 encryption for some data, including photos.
AES-128 is “a reasonable security defense approved by the United States government in use up to the Secret level of classification, [but] VTech’s problem is that it appears they did not properly implement encryption, using constant values in the MD5 hashes employed,” Price told the E-Commerce Times.
MD5 has been “widely denounced as a known weak password hash algorithm since 2010,” she pointed out, and SHA-2 is now recommended instead.
Why Did VTech Stumble?
To be fair, VTech is suffering from a systemic problem plaguing the consumer electronics industry.
This industry “has been slow to invest in security,” Price said. “Presumably they underestimate security risks because they aren’t dealing with financial transactions or business intelligence, [so] they believe they aren’t an attractive target for hackers.”
There is hope, however — the Sony PlayStation Network hacks between 2011 and 2014 have spurred the gaming industry to improve security, and public reports of the security threat posed by the Internet of Things has led IoT vendors to look more closely at security, she noted. The VTech breach and news that Mattel’s Barbie can be hacked may spur change in the kids’ electronic products sector.
What Else Should VTech Do?
VTech “should have been encrypting all user data both in transit and at rest, not just some of the content,” Price said. “The problem isn’t the consumer using technology insecurely, but the vendor’s inadequate protection of the data.”
The hacker who breached VTech got the idea from a thread on hacking the VTech Innotab, and other websites carrying similar content probably exist, so VTech should conduct ongoing monitoring of potential threats to their customers, Price suggested.
VTech did not respond to our request to provide more details.
How to Keep Kids Safer
Parents “must now make conscious decisions about what data on their children to trust companies such as VTech with,” Pter Gyngysi, product manager atBalabit, told the E-Commerce Times.
Read vendors’ privacy policies, Price urged, and find out how data is transmitted and stored before making a purchase.
Parents should consider setting up an anonymous email account to use for account registration that doesn’t identify either them or their kids, disable location services in the application, and refrain from linking third-party apps to social media or accounts affiliated with their personal information.
Electronic toys from non-U.S. companies pose a greater threat to kids than those made in this country.
“There is zero legislation to address non-U.S. companies gathering information on kids,” said Ted Collins, CTO ofPlayrific.
“The FTC has no jurisdiction over anything outside the 56 states and territories of the U.S.,” he told the E-Commerce Times. “We don’t even have an appropriate agency tasked with protecting kids.”