Investigation finds flaws in VTech children’s tablet

An investigation by the BBC Watchdog Live television programme has prompted the VTech website to tighten security on its tablet product, the BBC news website reports.

The InnoTab Max gadget has a glitch in its software that hackers could exploit to take remote control of the product and monitor its users. The flaw was initially pointed out to VTech months ago by a UK cyber protection company.

While a patch has been promoted by the Chinese company that manufactures the InnoTab Max, not all child guardians have installed it. Alerts on the device in question were put in place to inform users of the need to install an update. Needing a higher-profile the instruction now appears on the top of the website that holds the product.

VTech stated that retailers of the affected units of the InnoTab Max are being contacted. The problem comes three years after the company came under fire for its conduct during another cyber protection intrusion that saw millions of child customers’ account details compromised.

The target audience of the device under scrutiny spans children aged between three and nine years old.

In a statement VTech said denied any real breach had taken place.

“This was a controlled and targeted ‘ethical hack’ by… a sophisticated cyber-firm that was in possession of a detailed knowledge of hacking techniques and InnoTab/Storio Max’s firmware. We are not aware of any actual attempt to exploit the vulnerability and we consider the prospects of this happening to be remote.

“However, the safety of children is our top priority and we are constantly looking to improve the security of our devices.”

The Max tablets allow parents and guardians to limit children’s website browsing to sites that they have approved. A vulnerability in the technology was discovered early in 2018 at London-based SureCloud, where researchers found that if one or more of the adult-approved websites were compromised then this could leave the Max device open to attack.

Speaking to the BBC, SureCloud’s cyber-security practice director, Luke Potter, described the difficulty of identifying the vulnerability.

“To actually exploit [the weakness] once you know it’s there is reasonably simple,” he said.

The weakness means hackers could be able to remotely trigger malware or customised code into operation on the gadgets, gaining access “without the child even knowing,” Mr Potter explained.

“So effectively being able to monitor the child, listen to them, talk to them, have full access and control of the device. For example, we demonstrated viewing things through the webcam.”

Mr Potter also said that VTech was prompt to address the problem and create a patch when SureCloud flagged this issue up in May.

On its website, VTech lauds its own security standards, citing “rigorous testing” that maintains “strict control and supervision over the quality of our products.”

Speaking to the BBC’s Watchdog consumer programme, the firm said:

“We thank SureCloud for bringing this vulnerability… to our attention. We took immediate action in early summer to resolve the issue and pushed out a firmware upgrade to all affected InnoTab/Storio Max devices in Europe.”


The inaugural Data Protection World Forum (DPWF) was held on November 20th & 21st 2018 at the ExCeL London and welcomed over 3,000 delegates seeking the very latest insight on data protection and privacy.

Pre-registration for DPWF 2019 will be opening in the coming weeks.

https://www.dataprotectionworldforum.com/