Sqrrl Blog

Dec 22, 2015 11:39:59 AM

Cyber Incident Matrix: VTech

Complexity Score: 0
Severity Score: 0
How did we get these numbers?

Incident Summary

Overview:

On November 14th, Hong Kong based toymaker VTech announced that its servers had been infiltrated after inquiries from the media, based on an anonymous tip to VICE Magazine. The anonymous tipper claims to be the hacker himself, describing in an interview with VICE that his only intention in the breach was to bring awareness to the blatant lack of cybersecurity at VTech.

Sqrrl_Cyber_Incident_Matrix-5   OPM Breach IRS Breach Anthem Breach ATM hacks Kaspersky hack Insider Trading hacks Ashley Madison Breach Penn State SSA Breach VTech Breach

Complexity Score:

Plan Time

Indirect Attack

Cyber/Human Coordinated

Zero-Days Used

Time Undetected

Advanced TTPs

Total

0

0

0

0

0

0

0

The VTech hack was disturbingly simple. According to a forensic post mortem, after exploring a number of VTech sites the hacker realized that one of the sites, www.planetvtech.com, included a login form. By injecting database commands into the form, the attacker was able to gain the maximum administrative privileges and pivot to other VTech servers. 

SQL injection, the basic TTP used in this case, is one of the most common web side security flaws and relatively easy to prevent. In general, connecting forms (login, profile info, etc.) in a straight line to backend servers without creating parameters for submissions is dangerous. Connecting web applications directly to backend servers allows user to "give" the backend anything they would like, including malicious code. 

Severity Score:

Incident Costs

Physical Damage

Lives Lost

Nat. Sec. Impact

Total

0

0

0

0

0

According to their interview with VICE, the VTech hacker has no intention of selling or disclosing the information they stole, other than to prove he possesses it. As long as that continues to be true, the severity score by our standards remains at 0. However, the low incident costs should not soften the blow of this attack.                                                                                                                       
In this case, the attacker was able to download the metadata (names, addresses, email addresses, etc.) of almost 5 million parents, and over 6 million children. Worse yet, the attacker also downloaded over 190 gigabytes of profile pictures from VTech's Kid Connect service -- a kind of FaceTime for young children. 

In this case, it is lucky that the attacker has done nothing malicious with the data they stole, but this is not the norm. As one Wired author put it "Next time could be significantly worse. In fact, if VTech’s own lack of self-awareness is any indication, “next time” may well have already happened."

Download the eBook

Topics: Cybersecurity, Data Breach, Cyber Incident Matrix, VTech Breach