back to article VTech's Android tablet for kids 'hopelessly insecure'

Toymaker VTech – already under heavy fire for a massive security breach and insecure apps – faces fresh security criticism: researchers have discovered it was possible to easily lift data from its Innotab tablet. Tests by UK security consultancy Pen Test Partners revealed that it was easy to harvest data left on any lost, …

  1. elDog

    Golly Gee Whiz - If they (the kids) have nothing to hide..

    Why should we care about securing the little buggers?

    1. Anonymous Coward
      Anonymous Coward

      Re: Golly Gee Whiz - If they (the kids) have nothing to hide..

      So you'd like a blackhat with a paedophilia fetish breaking into your kid's tablet and pretending to be a fellow child whilst conversing with them?

      1. Anonymous Coward
        Anonymous Coward

        Re: Golly Gee Whiz - If they (the kids) have nothing to hide..

        Yup, bet they are really going to be able to remove that glued on sdcard run an adb shell over USB remotely. Most of these issues are only issues if they have physical access (i.e. probably broken into your house), so I suspect those are likely the least of your worries ...

        No excuses for crap patching, don't get me wrong, but please leave the hyperbole at the door ...

        1. Anonymous Coward
          Anonymous Coward

          Re: Golly Gee Whiz - If they (the kids) have nothing to hide..

          Given the device's intended purpose, it just requires little Johnny to be absent minded enough to leave the device by mistake in a public place for physical access to be unwittingly granted.

          I agree that, assuming a lack of physical access, those issues should not be a big concern. If anything it's a boon for knowledgeable parents. I'd rather see that as a feature they have to enable though.

          It points to sloppy workmanship though, it should not have shipped with ADB turned on, as all it needs is connection to an unfriendly USB host for all hell to break loose. If they've done something like this, one wonders what else they've left wide open.

      2. RAMChYLD

        Re: Golly Gee Whiz - If they (the kids) have nothing to hide..

        I like to think of it more as a service. VTech's own Android store is piss if you don't live in the US or UK, every frigging app except for VTech's own is blocked off (due to "licensing issues", or whatever the BPI/BFI/MPAA/RIAA wants us to believe- yeah, so just because we're not in the US or UK, we're not allowed to download that Doc McStuffins eBook, or apps featuring other famous cartoon characters in general, while the very same apps are otherwise available on Amazon or Google Play at where I am?). If I want to sideload Amazon's appstore, getjar or even Google Play itself and get my apps on there, I should have the rights to. Same applies to Leapfrog's competing Epic tab.

        As for the MicroSD card, I'd prefer it. These things only have a sad 8GB of storage on it. Hardly enough for the MP3 stash.

      3. Captain Queeg

        @Stuart Re: Golly Gee Whiz - If they (the kids) have nothing to hide..

        I'm not sure if it were deliberate or not but the point is so badly missed it hurts.

        If the argument "no-one with anything to hide need be concerned" doesn't hold with our kids, it doesn't hold with anyone - period.

        I'm certain that wasn't lost on you, but it's best to be specific. :-)

  2. Duncan Macdonald

    Why bother with security

    This is a tablet designed for under 7 year old kids - what confidential information is likely to be on such a tablet ? (If it was a higher end tablet designed for adults this might be a problem but not for this device.)

    1. DaddyHoggy

      Re: Why bother with security

      That whooshing noise you can hear is the sound of the point of this story going over your head.

      It doesn't matter that it's the personal information of a 7yo - the point is it's personal - VTech have rapidly expanded into this area in the last few years - they've built their security on a foundation of sand - if these revelations hadn't come out then one would have to suspect that they'd have kept expanding, the IoT would have assured more and more inter-connectedness, more and more snippets of information being shared and stored on your kiddies' device.

      It gets lost or stolen and the life of your kid is available to whomever wants it - their likes, where they go, social circle - perfect material for the start of a little social engineering...

      1. Nate Amsden

        Re: Why bother with security

        probably easier to socially engineer those 7 year olds with candy (as in chocolate).

      2. L05ER

        what are you on about?

        VTech has been the dominate producer of kid's tech for over 30 years... This isn't some new manufacturer dangerously heading into unfamiliar territory.

        VTech was always a good example of how not to do things... One... Two... Shree. Shree i say!

    2. jtaylor

      Re: Why bother with security

      Innotabs include a "180 degree rotating camera and video recorder" and some apps like VTech Kid Connect let you "Send text and voice messages, animated stickers, drawings, photos and more to your child from your iPhone® to their InnoTab®"

      I can imagine why some people might not want to leak personal videos and contact information for family and trusted adults. Also, what happens if someone uses the stored account data to log on to sites as the original child?

      http://www.vtechkids.com/brands/brand_view/innotab3

      https://itunes.apple.com/us/app/vtech-kid-connect/id675014559

      1. Dan 55 Silver badge
        Childcatcher

        Re: Why bother with security

        If there's one thing I really wouldn't trust it's software like this, probably knocked up by people who have no idea about security. I'd rather have standard IM/videochat software installed.

        As for the hardware, I'm of the opinion that prevention is better than cure, i.e. it shouldn't have a camera.

        Recovery mode just needs to copy the OS out of a read-only partition and start again. No ADB bridge/debug mode either.

        Trying to do something to defeat opening the thing to get the SD card out of it and looking at the filesystem, well, if you need to protect against that kind of thing then you've probably got bigger problems or a child prodigy.

    3. Nate Amsden

      Re: Why bother with security

      exactly the same thing I was thinking too, same goes for their website hack, what value does any of that data have. It seems as if the "hacker" who told whatever news org that they did it just did it to show it was insecure (get some free press, something to put on the resume - good for them I guess, for the rest of the world I see little reason to care).

    4. jonathanb Silver badge

      Re: Why bother with security

      Information of interest to people who like 7 year olds for the wrong reasons - contact details for their friends, birthdays, their photo and video collections, stuff like that.

  3. Simple Si
    Facepalm

    A victim speaking

    My daughters were given one of these Innotabs to share as a Christmas present last year. To be honest, I was disappointed that I wasn't consulted in the choice of present as a basic android tablet like the Huddle would have provided more value and more functionality. Anyway, the device was registered, used a couple of times and been tucked away in the cupboard. The kids didn't seem to like it (perhaps picking up on my reaction) and much prefered playing with other toys. I downloaded the odd app for my Nexus tablet instead and let the kids play that on very rare occasions.

    It doesn't surprise me that the data was leaked. Been tempted to see if the device can be rooted to run cyanogenmod and a quick google on XDA Dev appears to indicate that it can. Might install that to protect the kids data and let them get more out of it but recall the specs of the device is a bit pants...

  4. Anonymous Coward
    Anonymous Coward

    It's a kids' toy

    It shouldn't contain any data juicy enough for grownups to be worried about!

    1. Mark 85

      Re: It's a kids' toy

      Well..."shouldn't" but it's basically a computer with camera, etc. So it's beyond the "toy" stage in that it has access to the world. There's some danger there...

      The bigger point is VTech's attitude towards all these holes in their products.

      1. Anonymous Coward
        Anonymous Coward

        Re: It's a kids' toy

        ref. VTech attitude

        it's the same as EVERYBODY else, i.e. get the maximum profit for minimum cost. They're just at the extreme end of the spectrum of how many corners business is prepared to cut to get to that "minimum cost".

    2. Captain Queeg

      Re: It's a kids' toy

      > It shouldn't contain any data juicy enough for grownups to be worried about!

      At a guess you're not a parent are you?

  5. Christian Berger

    There is no protection against physical access...

    ...at least none that's implementable in any sensible way on a budget, but that's actually not really much of a problem. The insecurities of Android are not that you could dump the Flash when you get your fingers on it, the insecurities of Android are that it's so complex it probably has lots of remotely exploitable security holes in it, in addition to any vendor built-in back doors.

  6. heyrick Silver badge

    Micro SD card glued to the board

    I'm guessing this was so they could offer a range of "memory sizes" by charging an extra £50 for a £5 card swap.

  7. NanoMeter
    Coat

    The solution

    Sell them to insecure kids.

  8. Jason Bloomberg Silver badge
    Joke

    Merry Christmas

    If you are worried about giving your kids a dangerously insecure tablet for Christmas; you might want to consider giving them a handgun instead.

  9. Anonymous Coward
    Anonymous Coward

    microSD card on the motherboard, which was glued on

    a breakthrough design in on-board memory technology, no less.

    1. Ken Moorhouse Silver badge

      Re: microSD card on the motherboard, which was glued on

      Probably in-line with legislation regarding "small part, choking hazard". Vtech probably couldn't get hold of enough Mullard Ferrite Core Memory at the right price.

  10. Ken Moorhouse Silver badge

    Vtech - great learning toys...

    ...for aspiring security consultants...

    Vtech Innotab, available in Pink.

    New Hacker Hat Colo(u)r category: Pink Hat.

  11. cosymart
    FAIL

    What?

    It's cheap crap - why would anyone expect it to be secure? It's only redeeming point is that being so crap it won't last that long so will end up as landfill long before anyone gets chance to do anything meaningful with it.

  12. sisk

    Developer mode on by default? Whoever made that decision needs to have a conversation with someone holding a clue-by-four.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like