VTech Hack Reminds Us that SQL Injection Can Have Serious Consequences

In late November, just in time for the holiday shopping season, toymaker VTech was the victim of a massive SQL injection attack. Members of Congress are now asking for more information about the Hong Kong company’s collection of data on kids after a hacker swiped info from 5 million parent accounts and nearly 6.4 million child profiles.  The data stolen seems to include a wide variety of information, including pictures of children from individual devices.   All of this lost to one of the software world’s oldest vulnerabilities — SQL injection.

Structured Query Language (SQL) injection vulnerabilities are among the most well-known and oldest vulnerabilities on the Web. SQL injection involves entering malicious commands into uniform resource locators (URLs) and text fields within vulnerable websites. This attack usually is an attempt to steal the contents of databases containing valuable data such as credit card information, usernames, and passwords. The attack vector has been associated with many high-profile data breaches at organizations like Sony,2 Heartland Payment Systems,3 the U.S. Navy, and the Department of Homeland Security.4

Although mitigating this vulnerability is relatively simple, SQL injection attacks cost millions of dollars each year; even a minor SQL injection attack can incur costs that exceed $196,000.A recent Ponemon study found that in the course of 12 months (April 2013–April 2014), approximately 65 percent of commercial and governmental organizations suffered a SQL injection attack. The discovery period for those organizations was estimated to be 140 days. Once the SQL injection was discovered, recovery and cleanup took an average of 68 days. A different study by Ponemon found that of 595 surveyed United States-based information technology (IT) security practitioners, 65 percent had experienced SQL injection attacks that successfully evaded their perimeter defenses.7

SQL injection attacks can lead to a wide variety of cascading effects, but the most prominent of these is a data breach or data exfiltration. The costs of data breaches vary widely across industries (as shown in Figure 18), but the healthcare industry generally has the highest cost. The Affordable Care Act and Healthcare.gov have made these records enticing targets.9,10,11


Figure 1: Per-Capita Cost of a Data Breach by Industry – Measured in US$

There are a number of reasons why SQL injection vulnerabilities remain so prevalent and so costly: (1) in order to mitigate SQL vulnerabilities, all user input must be sanitized, which can involve many lines of code in a large application, and (2) SQL attacks are also much cheaper than many other attacks — they do not require an expensive botnet or much knowledge. In a report on open-source Java code,Coverity illustrated that programmers characteristically had sanitized code when needing user input.12 Approximately 2 percent surveyed did not have a sanitized query call. Although it is slim percentage, it still leaves a large attack surface. Attackers have even been known to trick Google into executing SQL attacks for them.13

Guidance on mitigating SQL injection vulnerabilities can be seen within multiple standards. The National Institute of Standards and Technology recommends that server-side applications should constrain users to a small set of well-defined functionality and validate the size and values of input parameters.14 In addition, all applications should always be run in the least-privilege mode to avoid a compromise.15 Another defensive step is to sanitize all user input; this step should be integrated into the development phase.16,17,18 Finally, prepared statements and stored procedures should be used whenever possible when making calls to a database.19 Strategies such as defense in depth and implementing the principle of least privilege are also helpful in preventing attackers from gaining access to sensitive data.20

This post was written by: 2014 Summer Students

Firehost, 2014, “FireHost Detects Surge in SQL Injection for Q3 2013 and Cross-Site Scripting is Rising,” accessed May 2014.
Schwartz, M.J., “Sony Data Breach Cleanup To Cost $171 Million,” Dark Reading, accessed May 2014.
Brenner, B., and Senior Editor, 2009, “Heartland CEO on Data Breach: QSAs Let Us Down,” CEO, August 12, accessed May 2014.
4  GMA News Online, 2012, “Hackers Hit US Navy, Homeland Security Sites,” June 23, accessed May 2014.
5  Help Net Security, 2014, “Analysis of Three Billion Attacks Reveals SQL Injections Cost $196,000,” March 28, accessed May 2014.
6  Higgins, K.J., 2014, “SQL Injection Cleanup Takes Two Months or More,” Dark Reading, April 17, accessed May 2014.
7 Ponemon Institute, 2014, “The SQL Injection Threat Study,” April,  accessed May 2014.
8  Castle Rock Agency Inc., undated, “Cyber Liability & Data Breaches Can Cost Your Business an Average of $200 Per Record,” accessed May 2014.
 Kim, Q., 2014, “Health Care Data Is Becoming Big Target for Hackers,” February 6, accessed May 2014.
10  McCann, E., 2014, “Hackers Target Health Data in New Breach,” January 20, Health Care IT News, accessed May 2014.
11  Goodlin, D., 2013, “HealthCare.gov Targeted by More than a Dozen Hacking Attempts,” ARS Technica, November 14, accessed May 2014.
12  Chickowski, E., 2013, “10 Reasons SQL Injection Still Works,” Dark Reading, May 8, accessed May 2014.
13  Bright, P., 2013, “Google Crawler Tricked into Performing SQL Injection Attacks Using Decade-Old Technique,” ARS Technica, November 6, accessed May 2014.
14  US-CERT (United States Computer Emergency Readiness Team), 2009, “SQL Injection,” accessed May 2014.
15  Tracy, M., W. Jansen, K. Scarfone, and T. Winograd, 2007, “Guidelines on Securing Public Web Servers,” National Institute of Standards and Technology, September,  accessed May 2014.
16  Microsoft Developer Network, 2014, “Chapter 2: Threats and Countermeasures,” accessed May 2014.
17 CWE (Common Weakness Enumeration), undated, “CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’),” accessed May 2014.
18 Defending against SQL Injection
19  OWASP, 2014, “SQL Injection Prevention Cheat Sheet,” April 12, accessed May 2014.
20 OWASP, 2009, “Secure Coding Principles,” March 24, accessed May 2014.