The VTech KidiCom MAX is advertised as the “cool and secure messenger for kids”. Reason enough to put the device through its paces in our security test and see how much is behind the advertising message of the company, which is mainly known for its toys.

VTech had to take a lot of hits when, in December 2015, the data of 6.4 million children was revealed by a hack. Among other things, the ‘Kid Connect’ messenger system used by this device was also affected. Data from 4.9 million adults was also disclosed. This included the children’s home addresses, first names, birthdays and gender, as well as their parents’ account data. Furthermore, the attacker is said to have had access to photos, chat transcripts and audio files. VTech had subsequently agreed to a fine of 650,000 US dollars with the US Trade Commission. The ‘Kid Connect’ service was then completely redeveloped by VTech. (see CNBC 2015, Golem 2015 (German))

Technical Data

The KidiCom MAX is equipped with a 32-bit Quadcore ARM processor (MT8127, release date 01.06.2014, set to a maximum of 1300Mhz), WiFi and Bluetooth 4.0, 1GB RAM and 8GB Flash memory, which puts it in the lower middle class. In addition, a 2 MP camera that can be swivelled forwards and backwards is built in, which takes pictures with a resolution of 1024×600 pixels by default. The 5″ display with a resolution of 800×480 pixels, which also matches the device class, is of sufficient quality for the pre-installed apps. Android 6.0 is installed on the device itself; the security update status is dated 05 October 2016. (The following screenshots are in German, because the device’s language cannot be changed – it is set by its sales region.)

VTech child user interface

Software

The user interface of the children’s tablet is divided into a children’s and a parent area. The parent area is protected with a four-digit PIN. The PIN prompt has no rate limiting implemented, so the 10,000 possible combinations can be tried out without any problems, assuming patience.

Left: PIN protection, right: Parent area

No high demands should be made on the speed of the device. Pre-installed apps are not always displayed smoothly, and various display errors were also observed during the test, especially with a lot of text content. Also one of the core features – the messenger – didn’t always work reliably during our test, sometimes messages weren’t delivered. This is also in line with the reviews in the Google PlayStore or Apple AppStore.

On the VTech KidiCom MAX any Android apps can be installed via the parent area. The installation of the Amazon AppStore is offered there directly. Additional apps can also be installed as APK files. Since the device registers itself on the PC as a removable disk, these can simply be stored on it and installed on the tablet via any file manager. However, the customer also runs the risk of unknowingly installing malware on the device. Antivirus apps could offer protection here, but their availability in the Amazon AppStore is very limited.

Third party apps installed by us in the parent area

Due to the outdated Android there are numerous vulnerabilities that can be exploited by apps. Therefore we can only advise against installing apps from unknown sources.

Preinstalled apps

With a little effort, we also got access to the apps pre-installed on the device and were able to get an idea of how it works. The most important of the almost 110 pre-installed apps were submitted to a static analysis, frequent functions of the device were tested in a dynamic analysis. In the following, we will limit ourselves only to the anomalies.

File manager view of the installed apps

When the device boots up, it downloads two certificate files disguised as JPGs over an unencrypted connection. These are then used within the scope of the implemented certificate pinning. An attempt was made to manipulate them in a man-in-the-middle attack, but apps such as Messenger then refused to provide the service. Nevertheless, we recommend that this procedure be further secured in accordance with the state of the art.

Download of certificates disguised as JPG

All further communication recorded by us is TLS1.2 encrypted and thus protected against simple attacks. Due to the implementation of certificate pinning, man-in-the-middle attacks were not successful, even if we installed a certificate on the device via detours.

Parent apps

The parent apps provided by VTech via the Appstores must at least be classified as confusing. First of all, two apps are available for the same service per platform (Android/iOS), offering identical functions: “VTech KidiConnect” and “VTech Kid Connect”. However, both apps have been re-released for different countries instead of integrating their language into a single app. This results in a rather chaotic picture when you look into the Google PlayStore, for example. The Apple AppStore looks similar, but it filters parts of it to fit the user’s region.

Google PlayStore for VTech Kid Connect

In the further analysis we have limited ourselves to the German version of the KidiConnect App, as the product packaging refers to it. In the static analysis, only little information could be extracted from the app, since large parts of the code were swapped out to shared object files. XMPP, an open communication protocol, is used for messaging. The app communicates exclusively TLS1.2 encrypted, mostly with servers from VTech, furthermore trackers like Bugfender are addressed.

Privacy

The general privacy policy of VTech also refers to Kid Connect or Kiddi Connect and therefore to the KidiCom MAX children’s tablet. Within Europe, VTECH Electronics Europe B.V., based in the Netherlands, is responsible for data processing. The customer is informed in relative detail about many privacy related topics.

Personal data is processed at VTech locations such as Hong Kong, China and the USA. Processing must be approved by an adult at the time of account creation. The privacy policy is also linked on the children’s tablet itself, but in children’s mode the link only indicates that it can only be viewed in the parents’ area.

Recorded data is used for research and development, for example, surfing behaviour for the purpose of market research. Personal data is shared with the entire Group, but is restricted in access by organizational and technical measures in accordance with the privacy policy. Service providers also receive access to the necessary extent. Only statistical, anonymous data is shared with other third parties.

Overall, the privacy policy often remains quite general, but in many points it specifically addresses the data of children. However, it lacks details on the trackers used in the KidiConnect app, for example.

Conclusion

The VTech KidiCom Max children’s tablet was able to score several points in our test. However, especially with a device used by children, we have to be all the more strict with security deficiencies. The highly outdated Android version, the lack of brute force protection for access to the parent area and the processing of data in Hong Kong, China and the USA, regardless of the child’s residence, mean that we can only award one of three possible points.

It is noticeable that VTech has completely rebuilt KidiConnect – good security concepts have been developed. But the implementation has not always been carried out consistently.