Darknet Diaries - Ep 2: The Peculiar Case of the VTech Hacker
Episode Date: September 15, 2017VTech makes toy tablets, laptops, and watches for kids. In 2015, they were breached. The hacker downloaded gigs of children's data. Discover what the hacker did once he took the data. ...
Transcript
Discussion (0)
It's Tuesday, December 15th, 2015, and a suspect has been arrested in the VTechKids
toy hacking case.
UK police slapped the cuffs on a 21-year-old man just a few hours ago as part of an ongoing
investigation into the hacking.
Estimates indicate almost 6.5 million kids' profiles and almost 5 million adult accounts
were compromised in what might be described as the most unscrupulous hack to hit headlines in years.
No credit card info was obtained, but children's names and addresses are said to have been
accessed, which, aside from being a black eye on VTech, is just straight up creepy.
The suspect hasn't yet been named, but something tells us his next few days behind bars probably
won't be so enjoyable.
Happy holidays, creep.
This is Darknet Diaries.
True stories from the dark side of the internet.
I'm Jack Recider.
This episode is sponsored by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive. It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore. Now I use the help of Delete.me. Delete.me is a
subscription service that finds and removes personal information from hundreds of data
brokers' websites and continuously works to keep it off. Data brokers hate them because Delete.me
makes sure your personal profile is no longer theirs to sell. I tried it and they immediately
got busy scouring the internet for my name and gave me reports on what they found. And then they got busy deleting things. It was
great to have someone on my team when it comes to my privacy. Take control of your data and keep
your private life private by signing up for Delete Me. Now at a special discount for Darknet Diaries
listeners. Today, get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use promo
code darknet at checkout. The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries
and enter code darknet at checkout. That's joindeleteme.com slash darknetdiaries. Use code Darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing, incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help. But the founder of the company, John Strand, is a teacher, and he's made it a mission to make Black Hills Information Security world-class in security training. You can learn things like
penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can. Black Hills believes that great intro security classes
do not need to be expensive, and they are trying to break down barriers to get more people into
the security field. And if you decide to pay over $195, you get six months access to the MetaCTF
Cyber Range, which is great for practicing your skills and showing them off to potential employers.
Head on over to blackhillsinfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com.
BlackHillsInfosec.com.
Kids today see their parents using tablets and phones, and they want to play too.
Toymakers have tried to capitalize this by offering child-friendly tablets and smartwatches.
These kid-friendly devices are online and connected to the internet, just like any other tablet.
They have features that let the child send messages from their tablet to their parent's phone.
Not just chats, though. The kid can send pictures, videos, or voice recordings.
VTech is one maker of these kind of kid-friendly devices. They make tablets and phone apps that
are specifically designed for kids. When you buy a VTech tablet, it asks you to register the device.
They ask for the parent's name and the physical address, as well as the username and password.
Then the toy tablet also asks for the
child's name, if they are a boy or a girl, and what their birthday is. It even suggests you take a
picture of the child using the tablet to set up a profile. This registration allows the parent's
phone to connect to their kid's tablets. The technology VTech created that connects a parent's
phone to a kid's tablet is called KidConnect.
VTech also created its own app store called The Learning Lodge,
where you can use their tablet to download apps, games, and books.
Take a guess at what happens when hackers get a hold of these toy tablets.
They end up pushing the tablets to the limits.
There's a forum dedicated to hacking the VTech tablets.
People have been able to do all sorts of things.
One hacker took the thing apart and with a soldering iron was able to get into the underlying operating system, which is Linux.
From there, the hackers were able to get root access to it.
Then eventually, someone showed us they got the little toy tablet to play Doom, that old PC game from the 90s.
The hardware hacker community is often heard saying,
If you can't open it, you don't own it.
Just like it's legal to do work on your own car, it's also legal to modify the electronics you own.
You may void the warranty, but it's not illegal to take it apart and do whatever you want to it.
As this forum grew in popularity, it eventually attracted a different kind of hacker.
Instead of a hardware hacker, this guy was a network hacker. He browsed around and found the tablets talk frequently to a website called planetvtech.com. He took a look at that website
and almost immediately found it was vulnerable to SQL injection.
SQL injections are the number one risk websites face.
It takes advantage of weak code and tries to exploit the underlying database.
Network hackers like this are often already equipped with loads of scripts and programs that automatically execute an attack. Out of sheer curiosity, with a few keystrokes,
this hacker ran a script against planetvtech.com,
which attempted to exploit SQL.
To his surprise, it worked.
He had shell access to the website.
A few keystrokes later, he then had root access.
He said to himself, quote,
Holy fuck, I have root. That was easy. What can I find?
End quote. He had full access to the planetvtech.com website, 100% control of it. Once the hacker was
in the web server, he took a look around. He saw numerous other servers on the VTech network,
including a database server. He was able to hop into the VTech network, including a database server.
He was able to hop into the database, and when looking around there, he found the database was
huge. The hacker grabbed a copy of everything in the database, downloaded the whole thing,
then moved on to another database and grabbed a copy of everything there too.
The hacker then disconnected from the VTech servers. He knew he had committed a crime, and a wave of nervousness swept across him.
This breach occurred around November 16, 2015.
The hacker was equal parts disappointed and excited.
He thought getting into the VTech network was way too easy.
In a very short time, he was able to take all the contents of
their multiple databases. With a copy of the VTech database on his own computer, he was able to slowly
go through it and see what data he had. The first thing he noticed was a table called parent.
It had the following fields. First name, last name, email address, encrypted password, secret question, secret answer,
home address, IP address. As the hacker looked, he realized this is the entire user database
for everyone who's registered at the site. There were 4.8 million people listed in this table.
He could not believe his eyes. A list of 4.8 million user accounts would be a hot
item on the darknet. A list this large could bring in some decent bitcoin. But the hacker had no
intention on selling the data. The hacker took another look at the database and found another
interesting table called member. It contained children's names,
birthdays, gender, and their parents' ID. A hacker realized by combining the two tables,
he could positively identify what the last name of the child was and where they live.
This table contained the information of 200,000 children. By looking at the birth dates, the average age of the child was five years old.
The hacker turned his computer off and took a walk to think about what to do.
He was much more angry than he was excited. He was angry that VTech was so careless with
securing their site and with the personal information of so many children so easily
obtained. It became clear to the hacker that he had to get VTech to admit
that they have a security problem and to fix it. Having such lax security for personal children
data was unacceptable to the hacker, so he began thinking of ways to fix the problem.
He could go in and fix it himself, but that wouldn't teach VTech how to keep it secure in
the future. He thought about reaching out to VTech,
but he thought they'd never listen to him,
or they'd try to fix it and deny it was ever a problem.
The hacker took a few days to think about what to do.
He decided to tell the media.
This way, the story will break worldwide and VTech would have to solve the problem fast.
He decided to reach out to Lorenzo Franceschi Bicchierai,
the reporter for Vice's Motherboard. Motherboard is a news outlet specifically covering stories
related to computers, and Lorenzo had been breaking a lot of really great stories about breaches.
Many security reporters provide numerous ways for people to reach them anonymously,
sometimes through signal or using PGP emails, encrypted chat, or other means.
The hacker connected with Lorenzo securely and asked to remain anonymous. He gave Lorenzo the
4.8 million user records and the 200,000 children records and asked him to break the story. He
clearly told Lorenzo that he was an ethical hacker and had no intention in using this data for anything malicious.
A hacker told Lorenzo, quote, profiting from database dumps is not something I do, especially
not if children are involved. I just want issues made aware and fixed. It was pretty easy to dump,
so someone with darker motives could easily get it. Frankly, it makes me sick that I was able to
get all this stuff. VTech should have the book thrown at them. They have shitty security. End quote. Lorenzo now had the burden to figure out what to do. The first thing
he tried to do is determine if the hacker is telling the truth and if this data is new and
legit. The worst thing a reporter can do is falsely accuse someone of wrongdoing. That would be
slander. That would ruin the reporter's reputation.
So Lorenzo sent the dump to Troy Hunt to validate it. Troy is a security researcher,
most famously known for running the website haveibeenpwned.com. Troy obtains as many email
dumps as he can. These are giant lists of email addresses that are seen in security breaches.
He then turns his list into
a public service to allow anyone to search his website to see if their email address was part
of a breach. At first you may think a site like that is a phishing scam, and some are. But Troy
has proven himself to be ethical and legit. He and his website are trustworthy. He has over 4 billion email addresses in his database,
which he gathered from all public breaches. Troy took a look at this new dump from Lorenzo.
He found the password field wasn't encrypted in the database like it said it was. Instead,
the passwords were stored using a basic unsalted MD5 hash. Without going into too much detail of what MD5 is, just
know it's bad security practice to store your passwords this way. Some MD5 hashes you
can simply google and find the password. There are supercomputers that can brute force an
MD5 hash and crack it fairly quickly. Storing passwords as MD5 hashes is a severe lack of
security.
Troy was at first shocked by this.
He then went to the website to see what it looked like.
He immediately noticed the site doesn't use HTTPS anywhere.
Not for authentication or the API.
Nothing.
He also noticed the site was running ASP 2.0, which by that time had been unsupported by Microsoft for over
four years. You also noticed some parts of the website were leaking more information than they
should, returning errors with surprising results. A failed login message would actually show the
SQL query used to log in. Troy was shocked by the details he could gather simply by using the site
and not even trying to hack it.
The dump passed the sniff test for Troy, but at almost 5 million user records, he wanted help to verify the contents were legit.
Troy's website, Have I Been Pwned?, was wildly successful, and he offered an additional service.
Not only could you check your email to see if it had been in a breach, but you can also give him your email and he'll notify you if it shows up in any future breaches.
By this time, Troy had almost 300,000 subscribers to this email watch list.
Troy looked through his subscribers and tried to find any that also showed up in the VTech user dump.
He did in fact find many matching email addresses, so he reached out to those people.
He asked if they had a VTech account and asked if the home address and ISP were accurate.
This is what their responses were. Yes, that's accurate. I did register at VTech so I could
download add-ons for a toy laptop. Yes, that is accurate. It's an old address. I was at that ISP
at that time so I can verify the info.
I would have used a VTech website for my daughter around that time too.
Yes, I did access VTech Learning Lodge in 2014 after purchasing CoraCup from my child.
In order to personalize its voice-activated feature, you had to join the Learning Lodge.
At this point, Troy was convinced the dump was legit and told Lorenzo what he found.
This episode is sponsored by SpyCloud. With major breaches and cyberattacks making the news daily,
taking action on your company's exposure is more important than ever.
I recently visited SpyCloud.com to check my darknet exposure
and was surprised by just how much stolen identity data criminals have at their disposal.
From credentials to
cookies to PII. Knowing what's putting you and your organization at risk and what to remediate
is critical for protecting you and your users from account takeovers, session hijacking,
and ransomware. SpyCloud exists to disrupt cybercrime with a mission to end criminals'
ability to profit from stolen data. With SpyCloud, a leader in identity threat protection,
you're never in the dark about your company's exposure from third-party breaches,
successful phishes, or info-stealer infections.
Get your free Darknet Exposure Report at spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries.
By this time, Lorenzo had already reached out to VTech multiple times.
Over and over, Lorenzo was getting no response, or being redirected to somewhere else.
Eventually, days later, Lorenzo got the following response from a VTech spokesperson named Grace Pang.
Quote,
On November 14th, an unauthorized party accessed VTech customer data on our Learning Lodge App Store customer database.
We were not aware of this unauthorized access until you alerted us.
End quote.
VTech claims they received the email from Lorenzo, found evidence of the hack the next day,
then three days later issued a press release and notified their customers through email. Their initial press statement
was vague and unclear as to what was taken and who was impacted. They also said the passwords
were encrypted, but technically MD5 hashing is not an encryption method. The date didn't line
up either, because the data in the dump was timestamped two days
after they said the breach took place. But they did take down the following websites,
planetvtech.com, vsmilelink.com, and sleepybarelullabytime.com.
Taking these websites down must have been a big decision for VTech.
Imagine the app store being down on your phone for over a month. No updates, no downloads, no sending messages between devices. Their toys lost
major functionality during that time, but the company did the right thing by shutting the
servers down. If not, they would have attracted many other hackers and had a much bigger catastrophe
on their hands. Once the vulnerable
websites were offline and a press statement was issued, Lorenzo then published his article
indicating VTech suffered a data breach. He published all the details of what the hacker
had given him. Troy Hunt followed up with a scathing blog post of his own. The news spread
quickly of VTech's poor security controls. Parents around the world
were outraged their children's information was leaked. VTech is a company based in Hong Kong,
but they have a large market in the US, Spain, UK, Germany, and France. VTech's stock began to tumble.
Troy was also facing an ethical dilemma. His website, haveibeenpwned.com, allowed users to search emails that were seen in public data breaches.
He added the 4.8 million email addresses to his site, but refused to make the children's names searchable.
The hacker who broke into VTech took another look at the data he grabbed.
To his surprise, he found even more data than he initially realized.
There was a certain directory that had 190 gigabytes of data.
As he looked through it, he found it contained over 100,000 pictures
that children took with their tablets, watches, or laptops.
Many of these photos were duplicates, blurry, or just black.
So it was hard to guess as to how many actual photos there were.
The hacker looked further through the files he took.
He found there were chat logs, which went back a whole year.
These would be all chat messages that were sent between the child's tablet and the parent's phone.
Looking at the data even further, the hacker found a directory full of audio files.
He opened one and played it.
This is what he heard. There were thousands of recordings like
this. These are recordings of kids talking into their tablets. The hacker reached back out to Lorenzo and gave him the 190 gigabytes of photos,
a year's worth of chat logs, and numerous voice recordings.
A few days later, Lorenzo published a second article on Motherboard with these new findings.
We are now able to see redacted pictures of children and hear their voices.
This adds salt to VTech's wounds.
More parents are realizing their child's personal information was not kept safe.
The hacker told Lorenzo he was pleased with the way the news stories were spreading awareness of the problem.
Quote,
It is as much coverage as I had hoped for.
End quote.
The hacker went on to say he might move to a new target.
Quote,
Maybe into VTech published an FAQ.
It contained more information about the hack.
VTech claimed that not just 200,000 children accounts were taken, but instead that number was 6.3 million children accounts. But
VTech did not admit that any photos were taken. Then U.S. Senators Edward Markey and Joel Barton
sent VTech a letter pointing at the Children's Online Privacy Protection Act, otherwise known as
COPPA, an act established in 1998 to protect children online. Their letter also consisted of nine questions they wanted VTech to answer, such as,
What information do you collect on children under 12?
What do you use that information for?
Do you sell any of that to anyone?
What encryption is used to secure the data?
VTech didn't immediately respond, but they eventually updated their FAQ to answer some of these questions.
A week after the breach, VTech hired a security firm called FireEye to help with incident response.
FireEye was able to find the security issues and resolve them.
On January 25th, two months after the servers were taken down, they were partially restored.
Users could update and register their devices again, but still
could not use the App Store. A month after the breach, a specialized crime unit in England caught
and arrested a 21-year-old man in a town west of London. He was arrested on a suspicion of
unauthorized use of a computer, outlined in the Computer Misuse Act of 1990. The crime unit also
seized multiple electronic items found.
They also mentioned this may be related to VTech.
But the press release did not say the name of the man they arrested.
Lorenzo attempted to reach out to the hacker,
but he never got a response.
Two months after the breach,
Lorenzo was attending an electronics trade show
and found one of the booths was VTech.
They were launching a brand new line of products.
These weren't for kids, though.
They were selling smart light bulbs, door sensors, and security cameras.
When Lorenzo asked VTech marketing director if it's secure,
he said they are, quote,
going through penetration
tests by a third party and everything is going to be very secure, end quote. The next month,
VTech changed the terms of service on their website and now read in all capital letters,
you acknowledge and agree that any information you send or receive during your use of this site
may not be secure and may be intercepted or later acquired by unauthorized parties. It appears that VTech thinks they can relieve themselves
of any misdoings by simply letting their customers know their data may be insecure
and hacked at any time. A few lawyers commented on this and believe a clause like that won't hold
water in the US or UK, citing things like COPPA laws.
Numerous politicians and state attorneys contacted VTech to discuss the COPPA laws in detail.
VTech has updated their privacy policy to be more compliant with COPPA. For instance,
they now state in their privacy policy that all pictures and voice messages are encrypted when stored. VTech's stock was on a downtrend before
the breach, and after the breach, the stock dropped by 13%. Within three months, it was back
above where it was before the breach. Their toys continued to be sold in major toy stores around
the world. In the following weeks after the breach, several upset parents sued VTech North America.
The suits were consolidated into a single class action lawsuit.
Plaintiffs included eight adults and 14 children.
A year and a half later, in July 2017, the case went before a judge.
VTEC asked the judge to dismiss the case, which the judge granted.
He dismissed the case because the plaintiffs could not show how they were harmed. The judge could not find any proof that identity theft or any damage was done to
the plaintiffs. The judge cited Lorenzo's article, saying the breach was done by someone who did not
have any intention to use the data in a malicious manner. There's an update to this story. On January 8th, 2018, the FTC did find VTEC to
have violated COPA laws. VTEC agreed to pay the $650,000 fine imposed by the FTC, but they also
issued a press release saying they haven't violated any laws. They're also required to
revise their security program and conduct security audits for the next 20 years.
We have not seen the contents of this dump show up on any Darknet site.
This leads me to believe the hacker upheld his promise and not try to profit from the data he stole.
The VTech FAQ had a question on it asking what happened to the hacker who was arrested.
For over a year, the FAQ simply referred people to the press release put out by the crime unit that arrested him.
The press release had very little information and didn't even include his name.
In December 2016, over a year after the breach occurred, VTech updated their FAQ with a different answer to this question.
They said the man who was caught simply received a formal police caution in November 2016. If this is true, it means he was
detained for a full year before receiving a police caution. Police cautions are usually reserved for
minor crimes to sometimes save on filling out full police reports,
but still put the crime on the record.
Perhaps the FAQ has a typo on the year.
Even now, two years later,
it's still unclear exactly what happened to the hacker.
We don't know if he was arrested or not.
We don't even know his name or his status.
If he did only receive a police caution,
then the story's over. But he might still be sitting in jail somewhere.
While the hacker did commit a crime, his intention was simply to be a whistleblower,
with his primary goal of improving the security of children's data.
You've been listening to Darknet Diaries.
For show notes and links, check out darknetdiaries.com.
Music is provided by Ian Alex Mack, Kevin McLeod, and Chris Zabriskie. Thank you.