Developers Club geek daily blog

1 year, 1 month ago
Children and parents in the Network: history of cracking of the VTech services

Data leakage of users of different services because of cracking of the last — not a rarity, unfortunately. It is worth remembering sensational cracking of service of changes of Ashley Medison when in the Network data of millions of users flowed away. A huge number of users were just bots, but it changes nothing — each of us is vulnerable.

In the Network even data of users who monitor the accounts flow away, think out difficult passwords, try to provide negative scenarios. But leaks all the same happen. And interesting nuance — if about data security of adults all monitor and everywhere, then a problem of data protection of children in the Network somehow not too very famous. And here it is even more problems, children are not too well acquainted with bases of information security. And if yes, that hackers find other ways of data acquisition of kids. It is possible to give recent cracking of the VTech services (the vendor of children's electronic toys) as a result of which in the Network data of millions of accounts of little users flowed away as an example.

In total it is about 4,8 million records, including names, e-mail, dates of birth, etc. However, here the most part an uchetok belonged to parents, but about 200 thousand are accounts of children. And hackers got access not only to uchetka, but also to hundreds of thousands of photos and other materials. Lorenzo Bicchierai who often writes for Motherboard became one of the first users who found cracking. This user decided to address the information security specialist.

The first step which was taken — some accounts from all data array were verified. Requests were sent to some e-mail addresses (with a situation explanation), and some users answered. Result — yes, it is unambiguous, the Vtech service was cracked.

By the way, for a long time the service notifying users in case of cracking already works. It is possible to be checked and subscribe for notifications here.

Children and parents in the Network: history of cracking of the VTech services

So the service interface looks

And it means that anyone can carry out identification of adults and children and to understand who parents of kids whose data were "merged" in the Network. Moreover, data allow to learn the residence of most of the people registered on Vtech.

It is interesting that the administration of service was not aware of cracking until did not write to it Lorenzo. Only after this work began on mitigation of consequences of cracking. Besides, it was succeeded to contact also the hacker who performed all operation. As it appeared, he made this "just for fun". Given it were simply not necessary.

Children and parents in the Network: history of cracking of the VTech services

Here in such type all data were obtained

Specification contained in the top — parent.csv file where there were nearly 5 million lines. The following given users:

id

email

encrypted_password

first_name

last_name

password_hint

secret_question

secret_answer

email_promotion

active

first_login

last_login

login_count

free_order_count

pay_order_count

client_ip

client_location

registration_url

country

address

city

state

zip

updated_datetime


Passwords are presented here in such form:

Children and parents in the Network: history of cracking of the VTech services

And here such data were required at registration of the parent of the child:

Children and parents in the Network: history of cracking of the VTech services

The company Vtech produces many tens of models of ustryostvo for children and their parents, including, for example, the video nurse. Also Vtech have an online store from where parents can download e-books, applications and games for devices of the children.

The hacker who hacked the Vtech network reported that it was used SQL иньекция. The hacker will get access to Web servers and a DB of the company, with plny access.

After the analysis of the incident it turned out that cracking was only business of time. For example, passwords were hashed by means of MD5 not most difficult for cracking of algorithm, to put it mildly. Moreover, questions for a reminder of the password were saved in the form of the literal text. So the problem with obtaining or zeroing of the password was not in general. The same information, at due desire, could be used also for attempt to receive control over the user's uchetka on other services — Gmail or the bank account as an example.

Worst of all there was the fact that accounts of many children were connected with accounts of parents, plus is specified also the residential address. Presently such relation to information storage of children is just inexcusable.



How to define parents? Yes it is very simple:

Children and parents in the Network: history of cracking of the VTech services

Data on parents are output here in such type:

id

username

domain

ll_child_id

ll_parent_id

parent_id

country_lang

create_datetime

expired_datetime


Example of records:

215836, 'foo%40bar.com', 'kc-im2.vtechda.com', 0, 2700413, 2700413, 'USeng', '2013-12-25 1:55:21 PM', NULL

and record of the child:

215841, 'LittleJohnny', 'kc-im2.vtechda.com', 3974296, 0, 2700413, 'USeng', '2013-12-25 1:55:23 PM', NULL

Well, and plus to everything, optional data:

id

created_datetime

updated_datetime

parent_id

login_name

password

first_name

dob

product_code

is_avatar_created

account_level

gender

expiry_date

registration_url



From where they? From other websites which are connected with Vtech. Namely:

www.planetvtech.com

www.lumibeauxreves.com

www.planetvtech.fr

www.vsmilelink.com

www.planetvtech.de

www.planetvtech.co.uk

www.planetvtech.es

www.proyectorvtech.es

www.sleepybearlullabytime.com

de.vsmilelink.com

fr.vsmilelink.com

uk.vsmilelink.com

es.vsmilelink.com



And everything looks rather lovely:

Children and parents in the Network: history of cracking of the VTech services

Here so the registration form looks:

Children and parents in the Network: history of cracking of the VTech services

Let's add the account of the child? Without problems:

Children and parents in the Network: history of cracking of the VTech services

It should be noted that the safety problems sounded above (for example, an opportunity for read seconds to connect the child and the parent) not and just to correct. They if it is so possible to be expressed, fundamental, Vtech it is necessary to remake everything if not again to develop the web services and an authentication system.

After cracking became known, parents began to be indignant, asking why the companies the address and all other data only was to know in order that clients had an opportunity to download pair of e-books.

And it especially is strange that Vtech does not use the standards of safety which for a long time became obligatory. For example, SSL is not used anywhere, and data (passwords, logins) are transferred in open form. In general, it is even strange that nobody paid attention to service earlier.

Main problems of safety of Vtech


Let's look once again what mistakes were made by the company which annual turnover makes about 2 billion US dollars.

1. There is no SSl. Data transmission goes through open channels, and data very much. It is information on parents, the password, login, information on the child.

2. Passwords are stored in slightly protected type, so to say. And here confidential questions any more at all are protected by nothing, it is the literal text. And passwords of children are also stored in open form. Same children why their data to protect, huh?

Children and parents in the Network: history of cracking of the VTech services

3. Lack of protection from SQL иньекций. Here in general everything is not simple, and it is very simple.

4. Universal use of Flash. Even the creator, the Adobe company urges to refuse this technology. And the company of such level as Vtech, could make it for a long time, using safe technologies.

Take care also the children!

This article is a translation of the original post at habrahabr.ru/post/273423/
If you have any questions regarding the material covered in the article above, please, contact the original author of the post.
If you have any complaints about this article or you want this article to be deleted, please, drop an email here: sysmagazine.com@gmail.com.

We believe that the knowledge, which is available at the most popular Russian IT blog habrahabr.ru, should be accessed by everyone, even though it is poorly translated.
Shared knowledge makes the world better.
Best wishes.

comments powered by Disqus