Golly Gee Whiz - If they (the kids) have nothing to hide..
Why should we care about securing the little buggers?
Toymaker VTech – already under heavy fire for a massive security breach and insecure apps – faces fresh security criticism: researchers have discovered it was possible to easily lift data from its Innotab tablet. Tests by UK security consultancy Pen Test Partners revealed that it was easy to harvest data left on any lost, …
Yup, bet they are really going to be able to remove that glued on sdcard run an adb shell over USB remotely. Most of these issues are only issues if they have physical access (i.e. probably broken into your house), so I suspect those are likely the least of your worries ...
No excuses for crap patching, don't get me wrong, but please leave the hyperbole at the door ...
Given the device's intended purpose, it just requires little Johnny to be absent minded enough to leave the device by mistake in a public place for physical access to be unwittingly granted.
I agree that, assuming a lack of physical access, those issues should not be a big concern. If anything it's a boon for knowledgeable parents. I'd rather see that as a feature they have to enable though.
It points to sloppy workmanship though, it should not have shipped with ADB turned on, as all it needs is connection to an unfriendly USB host for all hell to break loose. If they've done something like this, one wonders what else they've left wide open.
I like to think of it more as a service. VTech's own Android store is piss if you don't live in the US or UK, every frigging app except for VTech's own is blocked off (due to "licensing issues", or whatever the BPI/BFI/MPAA/RIAA wants us to believe- yeah, so just because we're not in the US or UK, we're not allowed to download that Doc McStuffins eBook, or apps featuring other famous cartoon characters in general, while the very same apps are otherwise available on Amazon or Google Play at where I am?). If I want to sideload Amazon's appstore, getjar or even Google Play itself and get my apps on there, I should have the rights to. Same applies to Leapfrog's competing Epic tab.
As for the MicroSD card, I'd prefer it. These things only have a sad 8GB of storage on it. Hardly enough for the MP3 stash.
I'm not sure if it were deliberate or not but the point is so badly missed it hurts.
If the argument "no-one with anything to hide need be concerned" doesn't hold with our kids, it doesn't hold with anyone - period.
I'm certain that wasn't lost on you, but it's best to be specific. :-)
That whooshing noise you can hear is the sound of the point of this story going over your head.
It doesn't matter that it's the personal information of a 7yo - the point is it's personal - VTech have rapidly expanded into this area in the last few years - they've built their security on a foundation of sand - if these revelations hadn't come out then one would have to suspect that they'd have kept expanding, the IoT would have assured more and more inter-connectedness, more and more snippets of information being shared and stored on your kiddies' device.
It gets lost or stolen and the life of your kid is available to whomever wants it - their likes, where they go, social circle - perfect material for the start of a little social engineering...
Innotabs include a "180 degree rotating camera and video recorder" and some apps like VTech Kid Connect let you "Send text and voice messages, animated stickers, drawings, photos and more to your child from your iPhone® to their InnoTab®"
I can imagine why some people might not want to leak personal videos and contact information for family and trusted adults. Also, what happens if someone uses the stored account data to log on to sites as the original child?
http://www.vtechkids.com/brands/brand_view/innotab3
https://itunes.apple.com/us/app/vtech-kid-connect/id675014559
If there's one thing I really wouldn't trust it's software like this, probably knocked up by people who have no idea about security. I'd rather have standard IM/videochat software installed.
As for the hardware, I'm of the opinion that prevention is better than cure, i.e. it shouldn't have a camera.
Recovery mode just needs to copy the OS out of a read-only partition and start again. No ADB bridge/debug mode either.
Trying to do something to defeat opening the thing to get the SD card out of it and looking at the filesystem, well, if you need to protect against that kind of thing then you've probably got bigger problems or a child prodigy.
exactly the same thing I was thinking too, same goes for their website hack, what value does any of that data have. It seems as if the "hacker" who told whatever news org that they did it just did it to show it was insecure (get some free press, something to put on the resume - good for them I guess, for the rest of the world I see little reason to care).
My daughters were given one of these Innotabs to share as a Christmas present last year. To be honest, I was disappointed that I wasn't consulted in the choice of present as a basic android tablet like the Huddle would have provided more value and more functionality. Anyway, the device was registered, used a couple of times and been tucked away in the cupboard. The kids didn't seem to like it (perhaps picking up on my reaction) and much prefered playing with other toys. I downloaded the odd app for my Nexus tablet instead and let the kids play that on very rare occasions.
It doesn't surprise me that the data was leaked. Been tempted to see if the device can be rooted to run cyanogenmod and a quick google on XDA Dev appears to indicate that it can. Might install that to protect the kids data and let them get more out of it but recall the specs of the device is a bit pants...
...at least none that's implementable in any sensible way on a budget, but that's actually not really much of a problem. The insecurities of Android are not that you could dump the Flash when you get your fingers on it, the insecurities of Android are that it's so complex it probably has lots of remotely exploitable security holes in it, in addition to any vendor built-in back doors.