Why VTech Breach is So Bad - and So Avoidable

Cybersecurity , Data Breach

11.2 Million People's Data Exposed by SQL Injection Attack Why VTech Breach is So Bad - and So Avoidable

The data breach involving Hong Kong toymaker VTech highlights a growing concern over manufacturers selling many more devices that are Internet-connected, yet apparently failing to safeguard those devices - and related information that gets collected and stored - against even the most rudimentary types of online attacks (see Toymaker VTech Hacked: 200,000 Kids' Data Exposed).

See Also: Defense Strategies for Advanced Threats: Breaking the Cyber Kill Chain with SANS 20 Critical Security Controls

Of course, that trend is no surprise to anyone who's been following the rise of the so-called Internet of Things, which refers to the wave of Internet-connected devices found everywhere from enterprise and medical realms to homes and schools (see The Internet of Buggy Things). No doubt, however, many people have downplayed the theoretical privacy harm posed by the family's Internet-connected refrigerator getting hacked and shopping list stolen. But the actual risk posed by insecure, Internet-connected devices has now been highlighted for millions of people in the wake of VTech acknowledging that personal data about children, as well as their plaintext chat messages and encrypted audio recordings and photographs, were recently compromised in a data breach.

The apparent severity of the breach at VTech, which reported annual revenue of $1.9 billion earlier this year, has continued to increase since the company first confirmed Nov. 27 that it had been breached, with the latest count of breach victims hitting 11.2 million people. In its most recent breach notification, released Dec. 2, the company says that on Nov. 14, "an unauthorized party accessed VTech customer data" connected with the databases and servers behind these services:

Learning Lodge: An app store for downloading apps, games, e-books and the like onto VTech products. Kid Connect: A service that allows parents to use an Android or iOS app to chat with their kids who are using a VTech tablet. PlanetVTech: An online virtual world that the company says is "designed for kids 6+" and allows them to "interact with other children in a safe, text-controlled format," as well as to "make friends."

Those services - and related websites - remain suspended "as a precautionary measure," VTech says. "Regretfully our Learning Lodge, Kid Connect and PlanetVTech databases were not as secure as they should have been." The company also recommends that all customers "immediately change your passwords on any other sites that may use the same email, secret question and answer, and password combination."

Authorities Launch Investigations

Hong Kong's privacy commissioner, as well as attorneys general in multiple U.S. states, have said they are probing the breach.

Vtech says that while its breach investigation remains ongoing, it now believes that personally identifiable information relating to 11.2 million individuals was breached, although adds that no payment card data was compromised. "In total 4,854,209 customer - parent - accounts and 6,368,509 related kid profiles worldwide are affected, which includes approximately 1.2 million Kid Connect parent accounts," the company says. Parents' accounts, it says, include the adult's name and mailing address, email address, a password-retrieval secret question and answer, as well as IP address, download history and encrypted password. "In addition, there are 235,708 parent and 227,705 kids accounts in PlanetVTech. Kid profiles - unlike account profiles - only include name, gender and birthdate," it adds.

The greatest number of breached profiles - affecting 2.9 million children and 2.2 million adults - are from customers in the United States, followed by France and the United Kingdom, which respectively saw 1.1 million and 727,000 children's profiles breached.

#VTech Data Breach: Top 5 most-affected countries: USA, France, UK, Germany Canada ... https://t.co/aDPFeMTXrn pic.twitter.com/qS1W9VfaML

SQL Injection: A Well-Known Threat

The VTech site was breached using a SQL-injection attack, the alleged hacker behind the attack tells Vice Motherboard, which was the first to report news of the breach.

SQL injection attacks involve entering SQL code into online entry fields. Any application that fails to reject this input could then receive direct database instructions from an outside attacker. That's why SQL injection flaws offer attackers an easy-to-exploit vulnerability with the potential for causing a severe impact, because if they succeed, they can very often be used to reveal any or all information stored in an Internet-connected database.

The Open Web Application Security Project - or OWASP - ranks these types of "code injection" flaws as the most severe risk facing Web applications, and thus the very first type of flaw that should be eliminated from any Web application.

To defend against such attacks, information security experts have long recommended building Web applications that reject any types of unexpected inputs. But experts say that too many organizations - most likely driven by time-to-market concerns - continue to fail to build secure applications, test and verify that their applications will resist those types of attacks, or use Web application firewalls, also known as virtual patching, to help block these types of attacks.

Information security consultant Claus Cramon Houmann at Luxembourg-based ImproveIT Consulting, who's also a member of I Am The Cavalry - a grassroots organization focused on advancing the security of medical devices, automobiles, home electronics and public infrastructure - says he is surprised "not at all" by the VTech breach. "Sad, not surprised," he says. "There are no surprises anymore when the OWASP top one isn't implemented correctly. Knowledge spreads too slowly to those who need it."

Few Incentives to Secure Devices

Companies also are not being compelled to implement security correctly, Houmann says. "There is very little incentive for companies to safeguard their data, [any] fines and punishment aren't severe enough for it to become better," he says. "They worry only where compliance is involved - like PCI DSS - and VTech quickly pointed out that financial information wasn't at stake here, which misses the point by a large margin."

But Paul Haswell, an attorney at the Hong Kong office of law firm Pinsent Masons, says in a blog post that he hopes the VTech breach will spark worldwide privacy law changes. "This is a wake-up call for Hong Kong: the first high-profile data breach suffered by a Hong Kong company that is likely to have worldwide ramifications," he says. "I hope that this will lead to an amendment of the existing data privacy laws, to include requirements to keep data more secure, and with stiffer penalties for failing to do so. ... It is also worth noting that lots of the data lost has been collected from users overseas and will be subject to international data privacy laws."