Bad to worse: VTech's kids tablet is a breeze to hack

It's not been a great week for VTech, its servers hacked and data on millions of children exposed, and the news gets worse. The company admitted the download store for its kid-focused Innotab tablets had suffered a successful cyberattack in early November – highlighting the paucity of security the company had used in the process – and now researchers have begun picking apart the hardware itself.

Pen Test Partners picked up the tablet, which retails for around $100, and discovered a number of concerning issues, including the security of its core chipset and the way VTech stores user data.

For instance, thanks to the RK3188 chipset VTech has used, it's possible for someone with nefarious intent to load the Innotab into recovery mode and strip out all of the information stored on it. That includes anything – such as photos – that the child might have saved.

Further tinkering revealed that VTech had left Android 4.1.1, the tablet's OS, with ADB enabled, and logged in with root privileges.

Open the tablet up, meanwhile, and there's a microSD card half-heartedly glued into place on the motherboard. That, it turns out, stores the tablet's filesystem and all of its user data.

"In the case of a lost, stolen or re-sold tablet, any and all data that the child or adult has put on there is exposed. Passwords, PINs, email addresses, app data, you name it" Pen Test Partners

Arguably, the server-based flaws which included saving all of the chats between parents and children, unencrypted, along with shared photos are more serious than exploits which require physical access to the tablet hardware itself. Certainly, the relatively straightforward hack which first began VTech's nightmare exposed a lot more user data, with the company admitting yesterday that the information of 6.4m children was exposed.

Either way, it highlights the potential perils of cheap tablets and what possible compromises might be involved when you're buying something built to a low budget, such as security-lacking processors.

SOURCE Pen Test Partners