A few months ago, the Hong Kong based toy maker VTech allowed itself to be hacked and millions of accounts exposed including hundreds of thousands of kids complete with names, ages, genders, photos and their relationships to their parents replete with where they (and assumedly their children) could be located. I chose this term deliberately – “allowed itself to be hacked” – because that’s precisely what happened. In an era where major incidents such as Ashley Madison and TalkTalk were front page news in the mainstream press, VTech continued to run a service with such egregious security flaws as the SQL injection risk the hacker originally exploited, unsalted MD5 password hashes, no SSL encryption anywhere, SQL statements returned in API calls (it’s actually in the JSON response body of my post above) and massively outdated web frameworks. What I didn’t write about at the time but reported privately was that they also had multiple serious direct object reference risks; the API that returned information on both kids and parents could be easily exploited just by manipulating an ID. Here’s what I shared with VTech via the reporter who originally broke the story (this is about the available methods on one of their APIs):
One of these is getKids and all it needs is the ID of the parent. No authentication token, no authorisation that the user can actually access the kid’s details, nothing more than a sequentially incrementing number. There’s also getParent which does exactly the same thing so the bottom line is that you don’t even need a data breach because as it stands today, you can simply enumerate the API. As an attacker, I can request the details on every single parent and get name, email and post code then take that parent ID and get every single child they’ve registered.
I actually created two accounts in order to demonstrate that whilst logged on as one, I could access the data from the other. The level of sophistication involved here is being able to count, yet in a subsequent press release, VTech claimed that the incident was an “orchestrated and sophisticated attack on our network”. No, it was neither of these things firstly because it was a single individual therefor they weren’t exactly orchestrating anything with anyone and secondly, because being able to add numbers does not make for a sophisticated attack nor does being able to mount a SQL injection attack using some automated tools (indeed this was how a 15-year-old kid was able to compromise TalkTalk). As much as the attacker’s actions were illegal and he deserves to be held accountable, VTech has some serious blame to wear.
The problem though, is that apparently they now feel customers should wear all the risk for shortcomings in their systems:
Suspecting that this may be over-dramatisation courtesy of a hastily written tweet, I sought out the section in question and found this:
7. Limitation of Liability YOU ACKNOWLEDGE AND AGREE THAT YOU ASSUME FULL RESPONSIBILITY FOR YOUR USE OF THE SITE AND ANY SOFTWARE OR FIRMWARE DOWNLOADED THEREFROM. YOU ACKNOWLEDGE AND AGREE THAT ANY INFORMATION YOU SEND OR RECEIVE DURING YOUR USE OF THE SITE MAY NOT BE SECURE AND MAY BE INTERCEPTED OR LATER ACQUIRED BY UNAUTHORIZED PARTIES. YOU ACKNOWLEDGE AND AGREE THAT YOUR USE OF THE SITE AND ANY SOFTWARE OR FIRMWARE DOWNLOADED THEREFROM IS AT YOUR OWN RISK. RECOGNIZING SUCH, YOU UNDERSTAND AND AGREE THAT, TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, NEITHER VTECH NOR ITS SUPPLIERS, LICENSORS, PARENT, SUBSIDIARIES, AFFILIATES, DIRECTORS, OFFICERS, AGENTS, CO-BRANDERS, OTHER PARTNERS, OR EMPLOYEES WILL BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY OR OTHER DAMAGES OF ANY KIND, INCLUDING WITHOUT LIMITATION DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER TANGIBLE OR INTANGIBLE LOSSES OR ANY OTHER DAMAGES OR LOSS BASED ON CONTRACT, TORT, STRICT LIABILITY OR ANY OTHER THEORY (EVEN IF VTECH HAD BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES), RESULTING FROM THE SITE OR SOFTWARE OR FIRMWARE DOWNLOADED THEREFROM; THE USE OR THE INABILITY TO USE THE SITE; UNAUTHORIZED ACCESS TO OR ALTERATION OR DESTRUCTION OR DELETION OF YOUR TRANSMISSIONS OR DATA OR DEVICE; STATEMENTS OR CONDUCT OF ANY THIRD PARTY ON THE SITE; ANY ACTIONS WE TAKE OR FAIL TO TAKE AS A RESULT OF COMMUNICATIONS YOU SEND TO US; HUMAN ERRORS; TECHNICAL MALFUNCTIONS; FAILURES, INCLUDING PUBLIC UTILITY OR TELEPHONE OR INTERNET OUTAGES; OMISSIONS, INTERRUPTIONS, LATENCY, DELETIONS OR DEFECTS OF ANY DEVICE OR NETWORK, PROVIDERS, OR SOFTWARE; ANY INJURY OR DAMAGE TO COMPUTER EQUIPMENT; INABILITY TO FULLY ACCESS THE SITE OR ANY OTHER SITE; THEFT, TAMPERING, DESTRUCTION, OR UNAUTHORIZED ACCESS TO, OR ALTERATION OF, ENTRIES, IMAGES OR OTHER CONTENT OF ANY KIND; TYPOGRAPHICAL, PRINTING OR OTHER ERRORS, OR ANY COMBINATION THEREOF; OR ANY OTHER MATTER RELATING TO THE SITE OR THE SOFTWARE OR FIRMWARE DOWNLOADED THEREFROM. NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED HEREIN, VTECH’S LIABILITY TO YOU FOR ANY CAUSE WHATSOEVER AND REGARDLESS OF THE FORM OF THE ACTION, WILL AT ALL TIMES BE LIMITED TO THE AMOUNT PAID, IF ANY, BY YOU TO PURCHASE A VTECH DEVICE OR SOFTWARE.
Here’s the bit I have a really hard time fathoming:
YOU ACKNOWLEDGE AND AGREE THAT ANY INFORMATION YOU SEND OR RECEIVE DURING YOUR USE OF THE SITE MAY NOT BE SECURE AND MAY BE INTERCEPTED OR LATER ACQUIRED BY UNAUTHORIZED PARTIES
But it’s their responsibility to secure it! Look, I’m the first person to acknowledge that there are very few absolutes in security and there always remains some sliver of a risk that things will go wrong but even then, you, as the organisation involved, have to take responsibility. Certainly that’s the expectation of the customer – that the information they provide will remain secure – and VTech (or anyone else for that matter) cannot simply just absolve themselves of that responsibility in their terms and conditions. People don’t even read these things! If they honestly don’t feel they’re not up to the task of protecting personal information, then perhaps put that on the box and allow consumers to consciously take their chances rather than implicitly opting into the “zero accountability” clause.
What makes this position even more absurd is that VTech is now heading into home security:
Look who wants to help you monitor and secure your house. pic.twitter.com/xFW1977ZHP— Lorenzo Franceschi-B (@lorenzoFB) January 7, 2016
This was shared by Lorenzo Franceschi-B who’s the reporter the attacker originally handed the data to before coming to me to help verify it so you could say that we both have a special interest in how this whole thing pans out. I wonder if they set the same expectations around their home security products perhaps not actually being secure?
The bigger picture here is that companies are building grossly negligent software – not just one mistake in otherwise well-written software (the Patreon incident is a good example of this) – and then simply not being held accountable when it all goes wrong. I genuinely hope the proposed EU data protection laws requiring up to 4% of gross revenue to be paid in the incident of a data breach serves as incentive for orgs to get their act together because as it stands, too many companies just aren’t taking this seriously. What I find unfathomable is how C-suite execs don’t take a moment whilst watching all these hacks appear in prime time news – and they simply cannot have missed some of 2015’s very well-publicised incidents – and think to themselves “Hey, I wonder if my multi-billion-dollar business might be at risk, perhaps we should make sure we’re prepared”. Or perhaps it’s just easier to write a dismissive set of T&Cs and move on…