FYI.

This story is over 5 years old.

Tech

It’s Trivially Easy to Watch Porn On a Restricted Tablet Made For Kids

The infamous Internet of Things vendor VTech shows how not to do parental controls.
Image: VTech

Christmas is around the corner and parents all over the world are mulling over what gifts to give their kids. Many toys and other children gizmos these days have an internet connection, which poses an interesting dilemma: how do you keep the kids out of the more undesirable (read: porn) parts of the web?

VTech, the Hong Kong-based manufacturer of Internet of Things toys that got hacked last year, attempts to solve this dilemma with a restricted custom browser. The app does not display an address bar, and limits the websites you can browse to just a handful of seemingly harmless pages pre-approved by the company such as NASA's Climate Kids, Disney Family and National Geographic, among others.

Advertisement

Read more: VTech Hacker Explains Why He Hacked the Toy Company

One of them, however, is Google Translate. And as it turns out, if you type the address of a porn site in the translation bar, you can just freely browse YouPorn or PornHub and even watch the videos.

Eva Blum-Dumontet discovered this as she was playing around with a VTech InnoTab Max, a $149 tablet marketed specifically as a "learning toy" with "age-appropriate content" for kids between the 3 and 9.

Obviously, this workaround to watch porn isn't as bad as the data breach from last year, but as Blum-Dumontet noted, this shows once again that manufacturers need to be more careful when they sell internet-connected devices, especially if they are intended for minors, and more careful when they promise parents certain features.

"While in this particular case, this was not a hack but a mere work around," Blum-Dumontet said, "Vtech clearly failed to foresee that inappropriate content could be reached on the tablet via Google Translate. If they could not foresee this, it raises serious questions as to what else they did not foresee when it comes to the toys' security."

A screenshot of the default view in the VTech Innotab Max browser.

Blum-Dumontet, who's a researcher at Privacy International, told me that finding this workaround was really easy. "Just to clarify I have zero tech skills," she said in an online chat. "It took me less than a minute."

Obviously, the kid would need to know the URL of a porn site to be able to see it, but it probably doesn't take a lot of imagination to come up with an obvious one (such as Porn.com).

Advertisement

"Just to clarifyI have zero tech skills […] It took me less than a minute."

This workaround comes out roughly a year after the VTech was breached by an unnamed hacker, who was able to access the personal data, such as names, email addresses, passwords, and home addresses, chat logs, and even some of their headshots, of 4.8 million parents and 6.3 million kids.

We reached out to VTech on Friday and the company responded on Monday saying they're "checking on this" and will respond in "the next two days." We will update the story if and when we hear back.

If you have a VTech tablet, or are planning to buy one, you can learn how to set up better parental controls through the tablet's settings in this video.

UPDATE, Dec. 6 10:00 a.m. ET: After Motherboard reached out to VTech to alert them of this workaround, the company removed Google Translate from the list of approved websites.

"It was possible to use Google's Translate service as a conduit to access websites not on the VTech-Approved Sites list thereby circumventing the default browser restrictions," a VTech spokesperson said in an email, noting that only the UK version of the InnoTab included Google Translate. "All in-store tablets can now only access the updated VTech-Approved Sites list, while existing users need simply power off and restart their tablet for the update to take effect."

Get six of our favorite Motherboard stories every day by signing up for our newsletter.