VTech is multi-national company which develops and markets learning products for children from infancy to preschool, they also claim to be the world’s largest manufacturer of cordless phones. Within their catalogue of products there are several devices which use the Internet to connect their child’s educational toy to an educational portal which parents can use to interact with their child’s toy.

In November of 2015, VTech published a press release in response to an incident involving a database which contained the personal information of their customers who utilized the Internet connected educational toys. This information (according to VTech’s press release) included name, email addresses, password (encrypted), secret questions and answers along with locational data such as IP addresses, mailing address.

Additionally, due to the nature of the toys involved biographical information of the children using the system were also stored along with names, profile images, dates of birth and genders.

Upon discovery of the breach VTech took the precaution of contacting their customer base to inform them of the breach and advise further action where required. VTech also took the precaution of taking down nearly a dozen websites associated with the database breach.

Although the compromised database has not been released by the perpetrator, ThreatPost.com have reported that the personal information of 5 million users may have been acquired.

Whilst VTech does not disclose the mechanism as to how this breach was possible, a possible clue could be in the measures taken to take nearly a dozen websites offline. It may be possible the websites could have been used as an attack vector which enabled access to the connected databases.

According to ViewDNS.info records on the affected domain names, the common elements appear to surround a particular server hosted with Voxel Dot Net, Inc.
Furthermore the reportedly affected websites shared the same IP address, and would likely have shared the same database server instance as well.

Domain Name

IP Address (DEC15)

IP Address Owner

www.planetvtech.com

107.6.110.34

Voxel Dot Net, Inc.

www.lumibeauxreves.com

107.6.110.34

Voxel Dot Net, Inc.

www.planetvtech.fr

107.6.110.34

Voxel Dot Net, Inc.

www.vsmilelink.com

107.6.110.34

Voxel Dot Net, Inc.

www.planetvtech.de

107.6.110.34

Voxel Dot Net, Inc.

www.planetvtech.co.uk

107.6.110.34

Voxel Dot Net, Inc.

www.planetvtech.es

107.6.110.34

Voxel Dot Net, Inc.

www.proyectorvtech.es

107.6.110.34

Voxel Dot Net, Inc.

www.sleepybearlullabytime.com

107.6.110.34

Voxel Dot Net, Inc.

de.vsmilelink.com

107.6.110.34

Voxel Dot Net, Inc.

fr.vsmilelink.com

107.6.110.34

Voxel Dot Net, Inc.

uk.vsmilelink.com

107.6.110.34

Voxel Dot Net, Inc.

es.vsmilelink.com

107.6.110.34

Voxel Dot Net, Inc.

These common traits lend to the possibility that either the database port was exposed and exploited, or one of the above-mentioned websites were compromised and a pivoted attack was conducted using information sourced from said compromised website.

Following the discovery of the security breach, all the vTech websites have now been moved to the Amazon.com server infrastructure which offers a greater level of security through their pre-established server images and network configuration.

If the suppositions surrounding how the breach occurred are accurate, the response, rectification and remediation of the affected database servers would have been quite involved. Although the hardening and securing of the database from external access is straight-forward, there is also a chance that the attacker has also embedded further malicious payloads within the database for further processing.

vTech’s initial response was both concise, informative, and commensurate with the breach, however vTech were unaware of the breach until a reporter contacted the company. It was only then that vTech began investigating their logs and determined that an intrusion had occurred.

Furthermore, according to vTech press releases a United Kingdom man has been arrested reportedly for breach of systems, and computer crimes. There have been no reports as to why vTech were targeted, or whether their compromise was a ‘target of opportunity’.

To prevent a reoccurrence or maintain positive monitoring of the server infrastructure database managers or systems administrator should be monitoring the database statistics to determine where an anomaly is occurring and where possible intervene.