Incident: Security Flaw in VTech Children's Tablet Allows Remote Hacking

Published Date: 2018-12-04

Postmortem Analysis
Timeline 1. The software failure incident involving the VTech tablet flaw happened in early summer [Article 79094]. 2. The article reporting the incident was published on 2018-12-05. 3. Estimation: Early summer typically refers to the period between June and August. Therefore, the incident likely occurred in June 2018.
System 1. VTech's Storio Max tablet system [79094, 79112] 2. InnoTab Max tablet system [79094, 79112]
Responsible Organization 1. VTech [Article 79094, Article 79112]
Impacted Organization 1. Children aged between three and nine years old [79094, 79112] 2. Parents and carers using the affected tablets [79094, 79112] 3. VTech, the company manufacturing the tablets [79094, 79112]
Software Causes 1. The software failure incident was caused by a severe security flaw in the VTech tablets, such as the InnoTab Max and Storio Max, which allowed hackers to spy on children [79094, 79112]. 2. Researchers at London-based SureCloud discovered a flaw in the VTech software that made it vulnerable to attack if pre-vetted sites were compromised, enabling remote access and control of the devices [79094, 79112]. 3. The flaw in the software allowed malicious code to be remotely triggered to run on the devices, potentially enabling hackers to monitor children, listen to them, talk to them, and even view them through the webcam without the child's knowledge [79094, 79112].
Non-software Causes 1. Lack of thorough checks before the tablets were put on sale [79112] 2. Reliance on pop-up alerts on the tablet for software updates instead of a more proactive approach [79094, 79112] 3. Delay in specifically warning customers about the security vulnerability and risks [79112]
Impacts 1. The software failure incident allowed hackers to remotely take control of the VTech tablets, enabling them to spy on children, listen to them, talk to them, and even watch them through the webcam [79094, 79112]. 2. The flaw in the software made the devices vulnerable to attack if pre-vetted sites were compromised, potentially exposing children to malicious activities without their knowledge [79094, 79112]. 3. VTech had to issue a software update to fix the security flaw, but some parents had not installed the update, leaving their children's devices at risk [79094, 79112]. 4. The incident raised concerns about the safety and security of children using the tablets, prompting VTech to take immediate action to resolve the issue and improve the security of their devices [79094, 79112].
Preventions 1. Regular security audits and penetration testing by independent cybersecurity firms could have potentially identified the vulnerability before it was exploited [Article 79112]. 2. Implementing a more robust software development lifecycle process that includes thorough security testing and code reviews could have helped catch the flaw before the product was released [Article 79094]. 3. Providing timely software updates and ensuring that all users install them promptly could have mitigated the risk of exploitation [Article 79094]. 4. Enhancing communication with customers about security vulnerabilities and risks associated with the product could have raised awareness and prompted quicker action from users to apply necessary fixes [Article 79112].
Fixes 1. A software update released by VTech to fix the security flaw on the InnoTab Max and Storio Max tablets [79094, 79112] 2. Prompting affected device owners to perform the firmware upgrade through pop-up messages and email notifications [79094, 79112] 3. Increased awareness and prominence of the security issue through a notice on VTech's homepage and coverage by BBC Watchdog Live [79112]
References 1. VTech company statement [Article 79094, Article 79112] 2. London-based SureCloud researchers [Article 79094, Article 79112] 3. BBC Watchdog Live investigation [Article 79112]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization (a) The software failure incident related to the security flaw in the VTech tablets has happened again within the same organization. VTech had previously faced criticism for its handling of a separate cyber-security incident that exposed millions of its child customers' account details [Article 79112]. This indicates a pattern of security vulnerabilities in VTech's products, highlighting a recurring issue within the organization. (b) The incident involving the security flaw in the VTech tablets is not explicitly mentioned to have occurred at other organizations or with their products and services in the provided articles. Therefore, there is no direct evidence of a similar incident happening at multiple organizations.
Phase (Design/Operation) design, operation (a) The software failure incident in the articles can be attributed to the design phase. The security flaw in the VTech tablets, known as the InnoTab Max or Storio Max, allowed hackers to remotely take control of the device and spy on children. This flaw was discovered by a cyber-security company and required a software update to fix it [79094, 79112]. (b) The software failure incident can also be linked to the operation phase. The flaw in the software made the devices vulnerable to attack if pre-vetted sites were compromised, allowing malicious code to be remotely triggered to run on the devices. This flaw could be exploited to gain remote access to the device without the child's knowledge, enabling hackers to monitor, listen, talk, and have full control of the device [79094, 79112].
Boundary (Internal/External) within_system, outside_system (a) within_system: The software failure incident related to the VTech tablets, specifically the Storio Max or InnoTab Max, was due to a severe security flaw within the system itself. The flaw allowed hackers to remotely take control of the device, snoop on users, and potentially access the webcam to monitor children without their knowledge [79094, 79112]. (b) outside_system: The contributing factors that originated from outside the system include the discovery of the flaw by a UK cyber-security firm and the subsequent investigation by BBC Watchdog Live, which brought the issue to light and prompted VTech to take action to address the vulnerability [79094, 79112].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in the articles was primarily due to non-human actions, specifically a severe security flaw in the tablet's software that allowed hackers to remotely take control of the device and spy on children [79094, 79112]. The flaw was discovered by a cyber-security company and could be exploited remotely without the child's knowledge, enabling hackers to monitor, listen, talk, and have full access to the device, including viewing through the webcam. The vulnerability in the software allowed for the execution of malicious code from afar, making it a non-human factor contributing to the failure incident. (b) Human actions also played a role in the software failure incident. VTech, the company behind the tablet, was made aware of the issue several months before the public disclosure by a cyber-security company [79094]. Despite being alerted to the vulnerability, some parents had not installed the software fix, indicating a delay in human action to address the security flaw. Additionally, the researchers who discovered the flaw mentioned that more thorough checks before the tablets were released could have potentially identified the issue earlier, suggesting a need for improved human actions in quality assurance and testing processes [79112].
Dimension (Hardware/Software) software (a) The software failure incident in the articles was primarily due to contributing factors that originate in software. The incident involved a severe security flaw in VTech's Storio Max tablet, which allowed hackers to remotely take control of the device and spy on children. The flaw was related to the software vulnerability that could be exploited to run malicious code on the devices from afar, enabling hackers to monitor children, listen to them, talk to them, and even view them through the webcam [Article 79094, Article 79112]. (b) The software failure incident was not attributed to contributing factors originating in hardware.
Objective (Malicious/Non-malicious) malicious (a) The software failure incident in this case is malicious. The incident involved a severe security flaw in VTech's InnoTab Max and Storio Max tablets that allowed hackers to remotely take control of the device and spy on children. Hackers could monitor children, listen to them, talk to them, have full access and control of the device, and even watch them through the webcam [79094, 79112]. The flaw was discovered by a cyber-security company and could be exploited by malicious individuals to remotely trigger malicious code to run on the devices from afar, potentially without the child even knowing [79094]. (b) The software failure incident is non-malicious. The flaw in the software was discovered by researchers at London-based SureCloud, who found that the software was vulnerable to attack if pre-vetted sites were compromised. While the flaw was not intentional, it allowed for the remote triggering of malicious code on the devices [79094, 79112].
Intent (Poor/Accidental Decisions) poor_decisions (a) The software failure incident related to the VTech tablets had elements of poor_decisions. The incident was a result of a severe security flaw in the tablet that allowed hackers to spy on children. VTech had been made aware of the issue several months prior by a cyber-security company but initially relied on pop-up alerts on the tablet to prompt the installation of the update [79094]. Additionally, the issue was not explicitly communicated to customers until BBC Watchdog Live got involved, indicating a lack of proactive communication about the security vulnerability [79112].
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident in the articles can be attributed to development incompetence. The incident was caused by a severe security flaw in the VTech tablets, specifically the InnoTab Max and Storio Max, which allowed hackers to spy on children. The flaw was discovered by a cyber-security company, and VTech had to release a software update to fix the vulnerability [79094, 79112]. (b) Additionally, the incident can also be categorized as accidental, as the vulnerability in the software was not intentional but rather a result of a flaw in the firm's software that made it vulnerable to attack if pre-vetted sites were compromised. The flaw allowed malicious code to be remotely triggered on the devices, enabling hackers to gain remote access and control of the tablets without the child's knowledge [79094, 79112].
Duration temporary From the provided articles, the software failure incident related to the VTech tablets, specifically the Storio Max or InnoTab Max, can be categorized as a temporary failure. The incident involved a software flaw that could allow hackers to remotely take control of the device and snoop on its users [Article 79112]. The flaw was discovered by researchers at SureCloud, who informed VTech about the problem, leading to VTech issuing a software fix in May [Article 79112]. VTech took immediate action to resolve the issue and pushed out a firmware upgrade to all affected devices in Europe [Article 79112]. Additionally, VTech sent emails to European owners who had not performed the upgrade to urge them to do so [Article 79112]. The company also improved the visibility of the upgrade reminder on its website and provided a step-by-step guide to applying the fix [Article 79112]. These actions indicate that the software failure incident was temporary and addressed through software updates and communication with customers.
Behaviour omission, value, other (a) crash: The software failure incident in the articles does not specifically mention a crash where the system loses state and does not perform any of its intended functions. (b) omission: The incident involves a software flaw that could allow hackers to remotely take control of the device and snoop on its users, indicating an omission in the system's intended functions [Article 79112]. (c) timing: The incident does not involve a timing issue where the system performs its intended functions correctly but too late or too early. (d) value: The flaw in the software allows for malicious code to be remotely triggered to run on the devices, leading to the system performing its intended functions incorrectly [Article 79112]. (e) byzantine: The software failure incident does not exhibit a byzantine behavior where the system behaves erroneously with inconsistent responses and interactions. (f) other: The other behavior observed in this software failure incident is the potential for hackers to have full access and control of the device, including monitoring children, listening to them, talking to them, and even watching them through the webcam [Article 79094].

IoT System Layer

Layer Option Rationale
Perception processing_unit, embedded_software (a) sensor: The software failure incident was not directly related to a sensor error. (b) actuator: The software failure incident was not directly related to an actuator error. (c) processing_unit: The software failure incident was related to a processing error as it involved a flaw in the tablet's software that allowed hackers to remotely take control of the device and snoop on its users [Article 79112]. (d) network_communication: The software failure incident was not directly related to a network communication error. (e) embedded_software: The software failure incident was related to embedded software error as researchers discovered a flaw in the firm's software that made it vulnerable to attack if pre-vetted sites were compromised [Article 79112].
Communication unknown The software failure incident reported in the articles does not specifically mention whether the failure was related to the communication layer of the cyber physical system that failed. The focus of the incident was on a severe security flaw in VTech's tablets that allowed hackers to remotely take control of the device and spy on children. The vulnerability was related to the software itself and how it could be exploited to run malicious code on the devices from afar, rather than being attributed to issues at the communication layer ([79094], [79112]).
Application TRUE The software failure incident related to the VTech tablets, specifically the Storio Max or InnoTab Max, was indeed related to the application layer of the cyber physical system. The failure was due to a severe security flaw that allowed hackers to remotely take control of the device, snoop on users, and potentially access the webcam without the child's knowledge. This flaw was identified by a cyber-security firm and required a software update to fix the vulnerability [Article 79094, Article 79112].

Other Details

Category Option Rationale
Consequence property, non-human, theoretical_consequence, other (a) death: People lost their lives due to the software failure - There is no mention of any deaths resulting from the software failure incident in the provided articles [79094, 79112]. (b) harm: People were physically harmed due to the software failure - The articles do not mention any physical harm caused to individuals due to the software failure incident [79094, 79112]. (c) basic: People's access to food or shelter was impacted because of the software failure - The articles do not indicate any impact on people's access to food or shelter as a result of the software failure incident [79094, 79112]. (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident led to a security flaw in a children's tablet, potentially allowing hackers to spy on children and take control of the device, which could impact the privacy and security of the users [79094, 79112]. (e) delay: People had to postpone an activity due to the software failure - There is no mention of any activities being postponed due to the software failure incident in the articles [79094, 79112]. (f) non-human: Non-human entities were impacted due to the software failure - The software failure incident affected the security and functionality of the VTech tablets, specifically the Storio Max and InnoTab Max, designed for children [79094, 79112]. (g) no_consequence: There were no real observed consequences of the software failure - The software failure incident did have real consequences, as it exposed a security flaw that could potentially compromise the privacy and safety of children using the affected tablets [79094, 79112]. (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The articles mention that while there was a vulnerability in the tablet's software that could allow remote access and control, there is no indication of any actual exploitation of this vulnerability at the time of reporting [79094, 79112]. (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The software failure incident resulted in the need for a software update to fix the security flaw, potentially causing inconvenience to users who had to perform the update to ensure the safety of the devices [79094, 79112].
Domain information, health (a) The failed system was related to the information industry as it involved a tablet designed for children aged between three and nine years old, allowing parents to control and restrict access to websites [Article 79094]. (j) The incident also pertains to the health industry as the vulnerable tablet system could potentially compromise the safety and privacy of children using the device [Article 79094]. (m) The incident does not directly relate to any other industry mentioned in the options provided.

Sources

Back to List