Kid’s electronics manufacturer VTech, known for the VTech Innotab Max kids tablet is, unfortunately, seeing the effects of what happens when you don’t put security first. Just a little over a week ago, the company revealed that its Learning Lodge app store was breached earlier in the month (November 14, 2015) and that email addresses, names, passwords and secret questions and answers, IP addresses, download histories, and physical mailing addresses were confiscated. VTech later confirmed that 6.4 million children were exposed in the data breach.
Now, a new report shows why last month’s data breach was possible: the VTech Innotab Max kid tablet is rampant with vulnerabilities within the hardware that make such a data breach all too easy, something discovered by security firm Pen Test Partners. First, the VTech Innotab Max RockChip RK3188 processor (a quad-core processor designed for budget-friendly devices with equal raw power to NVIDIA’s Tegra 3 processor) can write firmware to get out of a bricked state as well as read the data contained within. You need only dump the data partition and run off with child and parent data in an hour or less.
Next, the VTech Innotab Max microSD card only takes seconds to detach and can pull up user data and the file system. Since the microSD card lacks any data encryption whatsoever, there’s no stopping a hacker from gaining access to personal information in a matter of minutes.
Last but not least, the VTech Innotab Max kid tablet is also rooted by default, with ADB (auto debugging) enabled from the outset. Why would a kids tablet need to be rooted by default when rooting wouldn’t benefit the child? Of course, rooting does allow older users to customize their Android device, but rooting in general brings all types of security issues that non-rooted devices do not experience. I guess VTech wants to give admin access to parents, but do Amazon kid tablets have ADB enabled from the outset and default root? I think not. Amazon gives parents access over their child’s web browsing and game-playing habits, but have not rooted their tablets to achieve this measure of freedom.
The VTech Innotab Max kid tablet comes pre-loaded with Android 4.1.1 Jelly Bean, which is vulnerable to the Heartbleed exploit. The Heartbleed exploit is present on all devices bearing Android 4.1.1 and under (in which the VTech Innotab Max would fall victim). Analytics firm Chitika says that the total number of devices bearing Android 4.1.1 and under in April 2014 was around 50 million worldwide, with 10% of those being vulnerable in the US.
Apart from the manufacturing and security risks with the VTech Innotab Max, there is the troubling issue of why would VTech sell the kid tablet with it rooted? Rooted tablets don’t have access to updates from the manufacturer (due to the loss in warranty), and thus, aren’t protected from rooting. Apparently, someone may have found his way into the VTech information by way of the vulnerabilities described here.
MicroSD cards are a dime a dozen these days, making them easier than ever to buy in bulk and stuff in cheap, budget-friendly tablets such as the $100 VTech Innotab, but when it comes to children, extra security measures should be in place. No matter how cheap and affordable a tablet may be, it’s not worth the budget-friendly price if it isn’t kid-friendly. And web security and internet protection are essential to preventing child identity theft and fraud, among other things.