The Inside Story Behind VTech Storio Max Vulnerability - CVE-2018-16618

  • Date 04 Jun 2019

The Inside Story Behind VTech Storio Max Vulnerability - CVE-2018-16618

04 Jun 2019, 13:00 - 13:45

Geek Street

SureCloud's Senior Security Consultant will be discussing a critical disclosure discovered on the children's VTech Storio Max tablet, which allowed attackers full access to the device. Elliott found a vulnerable service enabled on the tablet that could be exploited by a script placed on the website, triggered when Storio Max users visited the page. The code granted attackers full root control over the targeted device, including access to the webcam, speakers and microphone. The disclosure was reported to VTech, and a patch fixing the vulnerability was released within 30 days. The vulnerability was granted a CVE, and the story was featured on the BBC.

Learning Outcomes:

  • Gain a better understanding on how to approach unusual devices from a methodology standpoint
  • Identify how manufacturers can break a secure base (Android phone with Vtech software)
  • Triaging of the custom parts of devices
  • Learn how accessible ARM assembly can be
  • See a live demonstration showing the impact of proof on concept and how writing an exploit code made the manufacturer resolve the issue quickly. Elliot comments: “It’s always better to show than merely tell.”



  • Elliott Thompson


    Senior Cybersecurity Consultant


    Elliott Thompson, one of SureCloud’s senior security consultants, delivers on a variety of large and unusual pentesting engagements. Elliott engages...


We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies.