Popular VTech children's tablet can be easily controlled by hackers
Risk management and cybersecurity specialist SureCloud has discovered that the popular VTech Storio Max children's tablet can easily be hacked, enabling criminals to take control of the devices and snoop on unsuspecting victims.
This can be done by simply adding an image or link to a website. When accessed by a child via the tablet's web browser, the exploit would attack the tablet and enable the attacker to take full control of the device.
A feature of the VTech tablet is that only websites selected by parents can be accessed. Six child-friendly websites are allowed by default. However, at least one of these websites permits anyone to upload content in a Wikipedia-style format. An attacker could therefore add a malicious page to this website to perform the attack.
A patch has now been released to address the vulnerability. SureCloud has been working closely with VTech since the original disclosure. VTech has confirmed that over half of the devices have already been patched and an email notification has been issued to all users encouraging them to patch as soon as possible.
Luke Potter, SureCloud's cybersecurity practice director says,
Any device is a potential target for an attacker. Where devices are specifically designed for children, attackers know that they are less likely to notice or question any suspicious activity on the devices.
As a result, vulnerabilities such as the one we uncovered on the Storio Max device which enable an attacker to snoop undetected on users, and potentially pass instructions on to them that could endanger them, pose a significant threat to users. Following disclosure, VTech responded very quickly and issued a patch that addresses the problem. As this needs to be applied manually by parents, it is critical that they do so as soon as possible.
You can visit the SureCloud blog for a detailed look at the technical aspects of the attack.