21-Year-Old British Man Arrested In Connection With VTech Hack (ibtimes.co.uk)

← Back to Stories (view on slashdot.org)

21-Year-Old British Man Arrested In Connection With VTech Hack (ibtimes.co.uk)

Posted by timothy on Tuesday December 15, 2015 @02:36AM from the on-a-lark dept.

Ewan Palmer writes: A man has been arrested in connection with the alleged hacking of electronic toy manufacturer VTech which affected millions worldwide. The 21-year-old was arrested in Berkshire, South East England, on suspicion of unauthorized access to computers to facilitate the commission of an offence and suspicion of causing a computer to perform function to secure/enable unauthorized access to a program/data following the data breach in November. From the BBC's coverage of the arrest: In the attack, servers used to support VTech's Learning Lodge app were compromised. ... The Learning Lodge database logged names, email addresses, encrypted passwords, IP (internet protocol) numbers and other personal data. Some of the information was about children including names, dates of birth and gender. No credit card data was stored in the compromised database. Details on customers from all over world, including the US, UK, France and China, were taken. Some of the data is believed to have been posted briefly online before being removed. When details about the extent of the data loss became known security expert Troy Hunt said he had "run out of superlatives to even describe how bad" it was.

53 comments

Min score:

Reason:

Sort:

Hope the bastard gets a nice long stretch by Viol8 · 2015-12-15 02:40 · Score: 1

I dread to think what could happen to some of the information about those kids and who might use it to target youngsters if he's sold it. VTech have been criminally negligent here too so one would hope some heads role, but this little turd really deserves the book thrown at him.
1. Re:Hope the bastard gets a nice long stretch by The-Ixian · 2015-12-15 03:05 · Score: 1
  
  The article doesn't really go into what the intent was.
  I don't think that the book should be thrown at somebody for exposing criminally negligent security practices.
  If anything, VTech should be happy the guy was apparently novice enough to leave a clear trail which exposed their security weaknesses.
  
  --
  My eyes reflect the stars and a smile lights up my face.
2. Re:Hope the bastard gets a nice long stretch by Anonymous Coward · 2015-12-15 03:17 · Score: 1
  
  so if I go to your house and smash your window, you wont press charges because I am just exposing your security weaknesses?
3. Re:Hope the bastard gets a nice long stretch by sycodon · 2015-12-15 03:32 · Score: 1
  
  I guess you didn't see the post directly above yours.
  Unbelievable.
  
  --
  When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
4. Re:Hope the bastard gets a nice long stretch by The-Ixian · 2015-12-15 03:49 · Score: 1
  
  I am not saying VTech shouldn't be annoyed with him and even sue him for damages.
  But I don't condone "throwing the book" at him... as in "lock him away and throw away the key"
  In your analogy, I would certainly pursue damages from you, but I would also learn from the incident and perhaps move away or install a better security system.
  
  --
  My eyes reflect the stars and a smile lights up my face.
5. Re: Hope the bastard gets a nice long stretch by tommyjcarpenter · 2015-12-15 03:51 · Score: 1
  
  At least this is one of the few hacks we've seen where the passwords were encrypted... So, not as negligent as say, Sony.
6. Re:Hope the bastard gets a nice long stretch by Anonymous Coward · 2015-12-15 03:51 · Score: 1
  
  Calm down buddy. The "compromised" information is all freely available with services such as intelius anyway. This honestly isn't a big deal....
7. Re:Hope the bastard gets a nice long stretch by The-Ixian · 2015-12-15 03:53 · Score: 1
  
  What? The "Reeeeesearcher" post?
  What is that supposed to mean? Is he a researcher? It doesn't state that in TFA.
  
  --
  My eyes reflect the stars and a smile lights up my face.
8. Re:Hope the bastard gets a nice long stretch by Lumpy · 2015-12-15 03:59 · Score: 1
  
  The rich never pay for their crimes.
  
  --
  Do not look at laser with remaining good eye.
9. Re:Hope the bastard gets a nice long stretch by Anonymous Coward · 2015-12-15 04:01 · Score: 0
  
  Whoosh!
10. Re:Hope the bastard gets a nice long stretch by dotancohen · 2015-12-15 04:44 · Score: 4, Insightful
  
  I dread to think what could happen to some of the information about those kids and who might use it to target youngsters if he's sold it. VTech have been criminally negligent here too so one would hope some heads role, but this little turd really deserves the book thrown at him.
  My daughter just this week received a VTech tablet as a gift. We could not connect it to the network due to this hack, and it took me a few minutes to put one and one together to realize that _this_toy_ was the one whose network was hacked. Of course, I had just warned her a few minutes beforehand about entering personal information into the device.
  
  As a parent of a child with this tablet, I am _happy_ that this guy broke in. The VTech company is completely negligent, and I'm furious that they would not encrypt the communications and have such egregious flaws. I'm a software developer and I know that all software has bugs, but this isn't a bug. This was a choice by VTech to use unencrypted communications and to not use best practices in their DB communications (prepared queries). If this Brit hadn't broken in, somebody with worse intentions would have.
  
  I don't personally verify that my bank has good locks, and I don't personally verify that my health care provider's employees have each received proper certification. I have to trust many entities in my life, VTech was one, but when the bank doesn't even bother to lock the safe, or the health care provider slaps a Dr badge on anybody with a white coat, then we have justified reason to be angry not with those who opened the safe but rather with those who left it unguarded.
  
  --
  It is dangerous to be right when the government is wrong.
11. Re:Hope the bastard gets a nice long stretch by GuB-42 · 2015-12-15 04:51 · Score: 2
  
  I dread to think what could happen to some of the information about those kids and who might use it to target youngsters if he's sold it.
  Like what? Targeted advertising?
  If you are thinking about things like child rape, I don't know what a criminal could do with this data that he couldn't do much more effectively by logging into Facebook or just hanging around your local school. Some retarded parents just love to put all details about their kids life online, which has the effect of boring to death everyone except people you absolutely don't want to be interested.
  Anyways, child abuse online is a vastly overblown problem, used by governments to justify intrusive measures. In reality, the worst offenders are parents, followed by familiar people (family, friends, nannies, teachers, caretakers, ...).
12. Re:Hope the bastard gets a nice long stretch by Anonymous Coward · 2015-12-15 05:15 · Score: 0
  
  Bad analogy. The "window" in question here is not smashed. the VTech device works as originally purchased.
  A better analogy would be that he opened the window and pointed out how a bugler could also open the window.
13. Re:Hope the bastard gets a nice long stretch by Anonymous Coward · 2015-12-15 12:28 · Score: 0
  
  No, he climb in the window copied everything he could find and let the world see.
  That is the difference between good and bad.
14. Re:Hope the bastard gets a nice long stretch by tehcyder · 2015-12-16 02:31 · Score: 1
  
  I don't think that the book should be thrown at somebody for exposing criminally negligent security practices.
  You would not need to release the information you obtained on to the internet to demonstrate this.
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
Ohmygod! The world is falling apart! by Anonymous Coward · 2015-12-15 02:45 · Score: 5, Insightful

Am I alone in this uneasy feeling about so-called security pundits putting their breathlessness on display over some stupid, embarrasing and perhaps sometimes obnoxious hoaxes -- but far from "tragic", "catastrophic" or whatever superlatives?
C'mon. Tragic is that there are still people starving out there. Catastrophic is what's going on in Syria at the moment while the "developed countries" is quabbling in their disgusting powerplay over whatever.
But some compromised servers? Cool down, folks.
1. Re:Ohmygod! The world is falling apart! by The-Ixian · 2015-12-15 03:16 · Score: 0
  
  Well said, my friend.
  
  --
  My eyes reflect the stars and a smile lights up my face.
2. Re:Ohmygod! The world is falling apart! by DNS-and-BIND · 2015-12-15 03:51 · Score: 1
  
  Well, that's modern journalism for you. They are more interested in promoting a viewpoint and reciting a narrative than reporting the facts. Just watch some old BBC from 70s/80s on youtube...it's just a clipped glass accent telling you what happened, when, and to whom. A far cry from today.
  
  --
  Shutting down free speech with violence isn't fighting fascism. It IS fascism!
Squeeze him by Anonymous Coward · 2015-12-15 02:46 · Score: 1

He'll rat out on all of his "anonymous" accomplices. Those cowardly nerds always do.
1. Re:Squeeze him by Galactic+Dominator · 2015-12-15 02:50 · Score: 1
  
  Who are your accomplices then?
  
  --
  brandelf -t FreeBSD /brain
Just to be Clear... by Anonymous Coward · 2015-12-15 02:52 · Score: 0

...he's a "Reeeeesearcher", only looking to expose vulnerabilities for the Greater Good of us all.
Encrypted passwords? by Anonymous Coward · 2015-12-15 02:53 · Score: 0

Encrypted passwords? Do IT departments really still do that? I would have hoped that most would have switched to hashed/salted passwords by now.
1. Re:Encrypted passwords? by Anonymous Coward · 2015-12-15 03:36 · Score: 0
  
  They do when you want your article to be accessible to a broad readership.
  But no, well done, you win the internet for being pedantic.
2. Re:Encrypted passwords? by Anonymous Coward · 2015-12-15 06:34 · Score: 0
  
  A "hashed/salted" password is still encrypted, just impossible to decrypt to the guaranteed original plaintext.
  However, quite possible to "decrypt" to some valid text that can be used to access the site...which is a pragmatic way of defining "decrypted" :)
Superlatives by Rik+Sweeney · 2015-12-15 02:56 · Score: 1

When details about the extent of the data loss became known security expert Troy Hunt said he had "run out of superlatives to even describe how bad" it was.
He should have invented a new word, such as badest.
"The breach was the badest I've ever seen."

--
Summation 2
1. Re:Superlatives by Anonymous Coward · 2015-12-15 03:00 · Score: 0
  
  This data loss was scrumtrulescent.
2. Re:Superlatives by The-Ixian · 2015-12-15 03:17 · Score: 0
  
  That's right, "scrumtrulescent" is a perfectly cromulent word.
  
  --
  My eyes reflect the stars and a smile lights up my face.
3. Re:Superlatives by wardrich86 · 2015-12-15 08:01 · Score: 2
  
  When details about the extent of the data loss became known security expert Troy Hunt said he had "run out of superlatives to even describe how bad" it was. He should have invented a new word, such as badest. "The breach was the badest I've ever seen."
  "The breach was the 9/11est I've ever seen. It was like 9/11 times one million."
Shooting the messenger never fixed anything. by Anonymous Coward · 2015-12-15 03:02 · Score: 0

I have to wonder what charges will be brought against the people who setup a system like this with no security? No charges whatsoever? Then expect it to keep happening again and again and again. The captcha for this is debacle, which is amazingly fitting.
Dumbed Down for Nerds! by Anonymous Coward · 2015-12-15 03:04 · Score: 0

The Learning Lodge database logged names, email addresses, encrypted passwords, IP (internet protocol) numbers...
Thank you, I really mean it, Thank you for clarifying that undecipherable IP acronym, my life is almost complete.
On the other hand, are they really IP numbers? I was not taught in school how to count with IP numbers, but I did get told that numbers would represent a plethora of things, like IP addresses for example.
1. Re:Dumbed Down for Nerds! by Anonymous Coward · 2015-12-15 03:52 · Score: 0
  
  IP addresses are numbers...and you are a useless dildo.
2. Re:Dumbed Down for Nerds! by Anonymous Coward · 2015-12-15 08:34 · Score: 0
  
  No. They are numerals.
  KGIII (Not logged in.)
Police breaking laws by Anonymous Coward · 2015-12-15 03:05 · Score: 0

UK Police have been visiting Teens who download denial of service software to warn them in case they become hackers and commit crimes.
http://www.engadget.com/2015/12/14/uk-police-visit-teen-hackers-at-home/
Only trouble is, the law that makes mass surveillance of the internet by the police possible... HAS NOT BEEN PASSED. So how exactly do they know the web history of teens?
There is some mighty big explaining to do, downloading denial of service software is not a crime, but yet somehow the police have all this illegal surveillance data, and that IS a crime.
http://www.bloomberg.com/news/articles/2015-12-10/u-k-cops-are-trying-to-scare-teen-hackers-with-house-calls
"The visit was one of about 50 U.K. police made this year to people they say used the Lizard Stresser site, many of them children. The Hull suspect, a teenager, couldn’t have done anything wrong, his dad told Hastings. He spent all his time upstairs, on his computer."
[He hadn't done anything wrong]
"Hastings is part of the Prevent team at the cybercrime unit of the U.K. National Crime Agency (NCA). The eight-person team tries to scare offenders on the “periphery of cybercrime” about the consequences of online misdeeds before they commit a jailable offense, boss Richard Jones says."
Before they commit a jailable offense you are already spying on them? Even though the law to permit that was rejected by Parliament and is currently still on hold pending a redraft?
Care to explain how that is???
1. Re:Police breaking laws by Hognoxious · 2015-12-15 07:38 · Score: 1
  
  So how exactly do they know the web history of teens?
  From reading posts like "dudez check out www.haxor.ro/sickit2theman.vba" on the twitbooks.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
happy shoot the messenger by Anonymous Coward · 2015-12-15 03:06 · Score: 0

so next time you find a bug, don't go public. just dump the stuff on the net.
Exactly what happened with hackingteam breach.
Seems police really wants to have this as the future standard how to handle security problems.
Really? by Anonymous Coward · 2015-12-15 03:28 · Score: 0

I'd be annoyed that my email address was leaked and the subsequent spam I would receive, but stealing and releasing an address book is that Earth shattering to these hyperbole infected nimrods?
A week in jail and three months of community service seems fitting.
Re:UK doesn't seem to care about ACTUAL Child Rape by Viol8 · 2015-12-15 03:29 · Score: 1

The police go for the low hanging fruit and make a big song and dance about it.
this is too much by Anonymous Coward · 2015-12-15 03:50 · Score: 0

What's even worse that's being overlooked here is that VTech was improperly securing and storing children's data. I agree with a previous response though, far from tragic considering it's just a name and dob. Nothing of great loss here that couldn't have been found in the public domain... This story is being blown way out of proportion.
1. Re:this is too much by Anonymous Coward · 2015-12-15 07:57 · Score: 0
  
  Stealing everything out of your neighbor's unlocked front door is still a crime...Even if the door was unlocked.
Re:UK doesn't seem to care about ACTUAL Child Rape by Anonymous Coward · 2015-12-15 03:58 · Score: 0

Sorry, "battlestormblog" is not a credible source. The Guardian article, which is the only credible source you've supplied, does not contain any reference to religion. Do you have any actual evidence to share?
Arrested for... by CimmerianX · 2015-12-15 04:02 · Score: 2

... embarrassing a large corporation by showing how easy it was to bypass security and releasing the proof to the media.
We can't have large corporations' money flows placed at risk now.....
... about children ... by future+assassin · 2015-12-15 04:05 · Score: 3, Insightful

that right there requires a full scale assault on the perpetrators and 100 years of jail time. Think of the children, said the person who required the kids names be in the db and the parents who wilfully gave that info out to access a toy.

--
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
When VTech Kicks in... by Anonymous Coward · 2015-12-15 04:16 · Score: 0

Am I the only one that read that and start
1. Re:When VTech Kicks in... by Anonymous Coward · 2015-12-15 04:24 · Score: 0
  
  follow the gourd!
Re:UK doesn't seem to care about ACTUAL Child Rape by Anonymous Coward · 2015-12-15 04:41 · Score: 0

Not even the heavily propagandized right-wing extremists believe what you're saying. You are deep into the lunatic fringe.
low hanging fruit by Anonymous Coward · 2015-12-15 04:45 · Score: 0

This kid will get punished for a corporation with such bad security that a kid could compromise it. The kid should be given a medal for his contribution to society, and the corporation punished.
in cook couny jail by Anonymous Coward · 2015-12-15 05:24 · Score: 0

in cook couny jail the us office is there.
Re:UK doesn't seem to care about ACTUAL Child Rape by Anonymous Coward · 2015-12-15 06:09 · Score: 0

Which would be their balls, no?
Re:UK doesn't seem to care about ACTUAL Child Rape by Anonymous Coward · 2015-12-15 08:29 · Score: 0

FWIW there is a documentary, from the BBC, confirming all of that. You can probably find it with a little Google.
Re:UK doesn't seem to care about ACTUAL Child Rape by tehcyder · 2015-12-16 02:48 · Score: 1

Although the Rotherham case does not cast a great light on anyone involved, the fact is that the men responsible were eventually prosecuted.
The real scandal was not the fact that a group of paedophiles had brown instead of white skin, it was that the social services allowed it to happen because they didn't want to interfere with the "human rights" of twelve year olds to have sex.

--
To have a right to do a thing is not at all the same as to be right in doing it