VTech tablet for kids is easy to hack, experts say

Cybersecurity experts are raising new concerns about the potential for hacking popular children's electronics. Less than a week after the Hong Kong-based electronic toymaker VTech Holdings announced hackers had breached its database and obtained personal information of nearly five million customers, security tech researchers have pinpointed two flaws in the security of the company's InnoTab Max tablet for children.

On Wednesday, security consultancy group Pen Test Partners published a blog post that reported the tablet's newfound security flaws. The researchers said that with a lost, stolen, or re-sold tablet, any data that an adult or child entered -- including passwords, email addresses, data from apps, PINs, among other information -- can be exposed.

Pen Test Partners reported that the RockChip processor in the device makes it easy for people who get ahold of the tablet to sift through personal data using "rkflashtool," a free memory-reading tool.

VTech data breach exposes personal info of parents, kids

"This bug has been known about for well over 2 years," the researchers wrote. "It's a bit lame of VTech to continue shopping vulnerable tablets, tablets that expose children's data."

As for the second big security flaw, Pen Test Partners found that it only took seconds to pry off a microSD card glued to the tablet's motherboard. This means that, just from a simple removable SD card, anyone could extract sensitive data.

After the announcement of the data breach last week, Ryan Kalember, SVP of Cybersecurity Strategy at Proofpoint, told CBS News in an email that VTech's security compromises could prove dangerous to children and their families.

"What makes this breach different from the run-of-the-mill retail breach is the children's personal data that [was] compromised," he said. "Cyber criminals are not above using a child's information for financial gain, and this is a reminder that parents should hesitate before sharing any of their children's personal information online." VTech said the breach did not expose any of its users' credit card data.

The Wall Street Journal reports VTech has hired FireEye Inc.'s Mandiant Incident Response team to review and strengthen its measures for protecting customer information.