In our previous article, we took a brief look at some of the more specific Smart Toy security issues and offered our recommendations to improve and avoid security going forward. In Part 2, we are focus in on VTech’s very public breach of their tablet cloud ecosystem, and then we take a broader look the abundance of baby monitors and wireless cameras on the market and in homes that are plugged with security flaws.
VTech’s Learning Lodge, Kid Connect, Planet VTech
Considered the largest known hack targeting kids to date, a November 2015 cyber attack on VTech’s “Learning Lodge” app platform for their popular line of tablets, exposed the data of 5.9 million adults and 6.4 million children. Leaked child account data included name, gender, and birth date. Adult data included name, mailing address, e-mail address, Hashed passwords, password retrieval information, IP address, and download history. The most concerning part of the breach was the data stored within the Kid Connect platform, a text, photo, and voice message chat application. Personal photos and chat histories, including both parents and children, were exposed as part of this breach.
After the hack came to light, VTech shut down its online services for an extended period, crippling millions of products for consumers.
After 2 years of investigations, the FTC and US Department of Justice fined the Hong Kong-based holdings corporation $650,000 (about 22 cents per child) for COPPA violations for failing to properly secure personally identifying information in the children’s accounts.
What went wrong?
The data stored in the cloud platform was neither secured or encrypted. Once someone gained access to the data, the contents could be opened on any device. Personal data, photos, chat histories, pretty much everything was stored as accessible files.
Many of the chat logs and shared photos on the cloud platform stemmed from the Kid Connect messaging app. This chat app allowed for children and parents to message each other, potentially exposing personally identifying information. While access to this platform requires parental consent, the way consent was granted (a button in the app) wasn’t fool proof, didn’t ensure an actual parent was granting it. VTech’s platform also did not truthfully disclose what information was being collected, nor did it allow parents to delete this information at any time, all requirements of COPPA.
Parental consent must be verifiable. This can be done through post mail, via a government-issued ID, by completing a credit card transaction, and several other methods. Unfortunately, a simple web form or button is unacceptable. Once a parent consents, they should also be granted access to review and delete collected information on their child.
Read our guide to COPPA for games and connected toys for more information.
(Mi-Cam, iBaby, Summer Baby Zoom, Phillips In.Sight, Lens Peek-a-view, TrendNet Wifi Baby Cam, and many more)
While not a toys specifically, wireless smart baby monitors are in hundreds of thousands of homes and many are sold as one-off products by little-known overseas vendors. Over the last decade, numerous baby monitors and remote cameras have been found to have serious vulnerabilities that allow hackers and even casual web browsers to view monitor feeds, and even send audio directly to the monitor in someone’s home.
Since baby monitor issues keep cropping up, product iteration after another, we decided to break down the most common vulnerabilities seen, and offer our advice on how these security dangers could be avoided going forward. If you happen to be an owner of a smart baby monitor or wireless camera, take some time to search for your make and model online. See if it has been reported to have any of the bellow vulnerabilities (not all do) and check the manufacture’s website, or within the companion app, for firmware updates and patches.
What was wrong with these baby monitors?
Common Problem #1
Local communications are not encrypted. Monitors such as the Mi-Cam, iBaby, and Phillips devices used unencrypted communication protocols to send/receive information, such as audio/video over the network from camera to app and back.
While it seems as though this would only be a problem within the LAN, there are still attacks that can happen within in compromised networks. With HTTPS and SSH protocols being common solutions, non-encrypted connections just seems sloppy, especially when it comes to sensitive content. More so, if the device also streams over the internet, it should have these protocols up and running! Why not use them for LAN connections as well?
Common Problem #2
Internet communications are not encrypted. Encrypting internet communications is now the standard, and what helped drive us to that level? Communication apps! So why is it that nearly half of the wireless cameras sold on Amazon and eBay (such as the popular Mi-Cam and LeFun cameras) lack this fundamental protection?
Several devices on the marker avoid encryption options alltogether, transferring login data, video and audio streams over the internet (or through an intermediate cloud platform) in an intercept-able, readable format. Some devices do offer encrypted communications, but have them disabled by default. This may be to ensure better router/firewall compatibility upon first use, but it’s a very risky compromise.
We recommend encryption communication protocols as the only method of data transfer for these devices. There should be no option to turn it off.
Common Problem #3
Data is stored in unencrypted formats. Movies stored as MP4 files, audio as MP3, user information and settings as Text/XML–all formats that, if intercepted, can be easily viewed by a third party.
A third-party intercepting communications and obtaining access to files and streams is certainly a cause for concern, but also having that content easily viewable to them, on any device, is a major security flaw. This is especially a concern when cloud platforms serve as a semi-permanent storage repository for this content. No cloud platform is immune from attack and leaks, and if a breach were to happen, encrypted file formats would go a long way in preventing access to highly sensitive content.
We recommend using industry standard encryption on files, either within the file’s standard capabilities or by storing in encrypted containers.
Common Problem #4
Remote Shell Access left enabled. Many IoT devices ship with compact and pre-configured OSes, and like many full-OSes they have the ability to execute commands, serve web pages, handle multiple user accounts, and allow remote access and control. Compact versions of Linux are often used on smart devices and many baby monitors. Developers often use shell access to be able to remotely update and debug the hardware easily from their PC. Often a product ships with this admin-level backdoor left open, giving hackers a path right into the root operating system of the device.
As with any connected product that is being prepared for release, all debug features should be removed. It’s helpful for the developer to create a ‘build script’ that does this as a part of the final app compilation, drastically reduces the likelihood of a developer forgetting to close any backdoors.
Common Problem #5
Default and Backdoor Accounts. Those default login accounts are the cause of the majority of IP camera security hacks. You know them and probably used them a few times in the past configuring a touter or other smart device. Username: Admin, Password: Admin. Everyone uses a handful of these on their products.
All it takes for a hacker to find an smart camera is to try IP addresses and see if the camera’s login page pops up. Those pages usually have the information they need to know exactly what make and model the camera is. Then, with a quick Google search, they can find the default credentials, and if the owner didn’t change them, the hacker has access to, and then can subsequently take control of the camera. The iBaby M3S baby monitor shipped with a default login of Admin/Admin, which was hardcoded (the owner could not change the password).
Developers also tend to leave undocumented accounts active–those that the user cannot see, access, or change credentials for. The Gynoii camera shipped with unchangeable credentials (Admin/12345) giving permanent access to anyone who knows the IP and can search for the credentials online.
Out of the top 10 selling Baby monitor cameras on Amazon.com, we found that 8 of them used the easily-guessable admin/admin as the default logins.
Preventing persistence of these dangerous default credentials is easy. Here’s what we recommend:
1: The web portal login page should not identify the device or manufacturer (which would help hackers identify the device and thus easily find a default password online).
2: The login screen should be designed (with Captcha, or timed delays) to prevent fast login attempts and brute force attacks.
3: Upon first login, the device should force the user to change the username and password.
Additionally, backdoor customer service, developer, and special user accounts should be deleted upon making a public build. This can be scripted as a part of the build process, so developers don’t forget.
Many manufacturers have started using device-unique default passwords, which adds costs, but greatly increase security, as long as the algorithms used to generate them are not easily reverse-engineered.
Common Problem #6
Hacking through UART. Primarily used for diagnostics and debugging, the UART (Universal Asynchronous Receiver/Transmitter) modules found on most connected product boards is an easy way to access the root of the device and modify the OS and files. It’s pretty much a chip usually accompanied by a serial port. This requires physical, and often invasive, contact with the device, but certainly remains a risk to consumers. A potential scenario in which this can be used on a grand scale is if a malicious distributor/seller (on eBay, for example) introduces malware or changed settings through UART access prior to the sale.
Since accessing the ports/pins for a serial cable to access UART is needed, this most often means the attacker needs access to the device and needs to disassemble it to some degree. Manufacturers can design their products with tamper-proofing casings, use holographic tamper-proof stickers, cover serial ports and pins with epoxy, and educate the user those features and what a tampered-with device may look like. Manufacturers that can do so, should pre-authorized resellers and inform customers about those resellers’ availability.
Designing Safer Smart Toys
The key to keeping toys safe as they take on more advanced and open technologies is proper planning and a security-conscious developer. Workinman Interactive has over a decade of experience designing games and apps for the youth market, with Security and COPPA as a few of our many areas of expertise. Let’s chat about how we can help your toys launch and remain safe and successful.