Security experts from Lastline and Balabit have the following comments on SQL Injections.
Péter Gyöngyösi, Product Manager of Blindspotter, Balabit :
“The VTech breach: sneak peek into the IoT security nightmare
“As it was reported by multiple sites, the Hong Kong-based toy manufacturer VTech was breached and a massive data dump containing the personal information and passwords of 4.8 million parents and their children became public. On top of being a massive security breach that involves under-aged kids, this incident showcases two things that can possibly go wrong if security does not evolve as the Internet-of-Things becomes more and more widespread.
“You need an account for everything.
These kids wanted to play with a toy tablet. Their parents wanted to update the device every once in a while. Just as you don’t want to set up an account to play with LEGO or to use your toaster, they probably did not want to do that for these VTech products, either. As more and more things are connected to and controlled through the Internet, it becomes less convenient or outright impossible to use a new tool without setting up an account. Having thousands of different accounts means there are thousands of places to steal your credentials from. Using single-sign-on services or a password manager to avoid password reuse becomes more and more important in a more and more connected world.”
“Usability and manufacturing costs will always trump security.
It is unrealistic to expect that security will ever be a priority in such consumer devices, especially in the cut-throat, fast-moving and highly seasonal market of child’s toys. The excellent analysis of the breach done by security expert Troy Hunt reveals that there were extremely basic problems with the security of these devices. Security was simply not a priority. Development had to happen fast, costs had to be kept low, and the user experience had to be fast and smooth as nobody wants to deal with complex IT problems after unwrapping a gift. This is not a unique situation, but hopefully, change will come, partly due to scandals like this. Manufacturers have to realize that these are not just toys but internet-connected cameras in the hands of underage children and design their security accordingly. And as users, we have to keep in mind that right now, security is a low priority for these devices and make concious decisions about what data we trust them with.
Brian Laing, VP of Products and Business Development,Lastline :
SQL injection attacks are not new – there are technologies that can detect and even prevent this type of attack. There are also technologies that companies can use prior to launching an application to test the application directly before it is released. All of this is based on established, well-known best practices to security. I am sure more information will come to light on this breach. There are a number of issues with this attack and Vtech’s response.
The fact that no personally identifiable financial information was leaked does not mean this is not important! Many users use the same usernames, passwords, secret questions, etc. across multiple sites. Even the name, gender, or birthday of children in the wrong hands is a concern. I, for example, do not allow my kids to have their names stitched onto their backpacks. A predator could walk up to your child and say “Hey Molly, isn’t your birthday coming up?” There are many issues with the leak of personal information. The problem only gets worse if a vulnerability is discovered in the toy.
Imagine someone uses this information to get into a Vtech online account and access a toy that allows voice collection. The attacker could gather information on the family. They could also potentially push out messages to the toy. How would your child respond if their toy suddenly said, “Mommy needs you to open the front door right now” or some other nefarious statement. History has shown that assuming best case or best intentions is a mistake. Internet of Things companies need to really think seriously about security. If they don’t have the skills in house, then they need to go to security consulting companies that specialize in application testing. This testing needs to review the individual toy, its application, as well as the manufacturer’s infrastructure.