VTech Tech Toy Hack – Good Morning Britain
In the wake of the VTech hack I answer ITV Good Morning Britain viewers’ concerns on the safety of their kids’ personal details.
Another week, another high-profile online hack.
In August 2015 the Ashley Madison scandal climbed the mainstream news agenda based largely on how the outed data transcended the all-too-commonplace bank details and password leaks.
The breach of tech-toy manufacturer VTech’s data last week has achieved a similar degree of infamy: six million sets of children’s personal details – including photos and chat transcripts – were swiped with apparent ease.
It’s of scant consolation that the hacker chose to share the story (and data) with a journalist rather than the denizens of the dark web: the Hong Kong firm hadn’t a clue that its online defences had even been breached until the journalist contacted them, begging the question of whether VTech’s website has been breached before? Nobody, not even VTech, can be sure.
The very nature of the VTech hack is disappointing but, if there is a positive, also a cautionary tale for remainder of the online industry.
‘SQL injection’ attacks are the oldest in the book, literally child’s play to execute, with plug-and-play exploitation toolkits and tutorials freely available online.
Like TalkTalk before it, VTech should have known better. As well as poorly-secured passwords (hashed with fatally insecure MD5 but not salted, therefore crackable with little more than a Google search) were plain-text secret questions and non-existent SSL security, all of which indicates a business quite simply not taking seriously its duty of care with users’ most sensitive data.
That in 2015 high-profile online services are still open to rudimentary exploitation signifies – to me at least – a distinct immaturity of the web as a whole. If any good comes of this attack it will be the wake-up call to other service providers to get real with their online security.
While VTech might make it through the immediate blip in its seasonal sales, time will tell whether it can survive the longer reputational damage. I hope so: as a parent I’ve found VTech’s tech toys to be among the best in class. I just hope it now takes less of a toy-town approach to its online services and its users’ data.
In the same Good Morning Britain episode I also talked viewers through how to enable parental restrictions, controls and security measures for other Christmas gadgets – the full story is available on the ITV website.