Page 38 - Cyber Warnings
P. 38
We began dumping the contents of the 16Mbit flash chip, and some pretty neat stuff popped up.
Initially it appeared that ToyTalk had put some consideration into their security model, by
building upon existing hardware and attempting to adhere to the minimal KidSafe Seal Program
information security requirements. Additionally, they encrypted nearly all communication
between devices and chose to keep sensitive information in the cloud, rather than on the doll.
However, what they failed to do was properly harden their web services. In the vulnerabilities
that we found, most existed in either ToyTalk’s websites or web services. This leads us to
believe that ToyTalk performed little to no pre-production security analysis and is using their bug
bounty program as a low-cost alternative.
This is supported by our observations that ToyTalk was actively patching and even discarding
entire websites as we were performing analysis and how many of the same vulnerabilities were
discovered by other groups on HackerOne. If this is the case, then it was a short-sighted cost-
cutting decision with repercussions that could have been prevented by simply hiring
independent security team to audit their product.
Their actions left customers’ personal information vulnerable in a race between security
researchers and malicious hackers to see who could find those vulnerabilities first.Companies
need to understand that a bug bounty program is a last resort, not a replacement for proper
security analysis before a product’s release.
38 Cyber Warnings E-Magazine – February 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
