Toy Maker Vtech Hacked, Revealing Kids' Selfies, Chat Logs, & Even Voice Recordings
from the because-we-can dept
As companies race to embrace the inanely-named “internet of things” (IOT), security and privacy are usually a very distant afterthought. That’s been made painfully apparent by “smart” refrigerators that expose your Gmail credentials, “smart” TVs that transmit your living room conversations unencrypted, or “smart” tea kettles that compromise your Wi-Fi network security. In all these examples the story remains the same: everybody’s so excited to connect everything and anything to the internet, few companies can be bothered to do so intelligently and correctly.
And with the mad rush to bring this kind of aggressive myopia to toys, the lack of security is now impacting kids as well. Late last week a hacker revealed that he (or she) had hacked into the servers of Hong-Kong-based toy company Vtech, exposing the data collected by the company’s “Kid Connect” service (which lets parents use smartphones to talk to kids using toy tablets and other devices). Once inside, the hacker obtained the names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 kids.
What’s more, the hack revealed that Vtech was storing kid selfies, voice recordings, and even entire chat logs between parents and their kids. In short, Vtech was gathering and saving pretty much anything these devices could get their hands on. VTech didn’t respond to questions regarding why it needed to store all this data. And that’s likely because, like most IOT gear makers, it didn’t much think about it. It was so enamored with the gee whizery of gobbling up all manner of user data for later use, it couldn’t much be bothered to ensure fundamental security best practices.
As Mark Nunnikhoven at Trend Micro remarked shortly after the hack was revealed, the lure of IOT has many companies collecting far more data than they could ever even conceivably need — just because they can:
“This opens the organizations up to unnecessary risk. If the words “might”, “possible”, or “potential” are used in an argument supporting the collection of data, you’re about to violate the principle of least data. You should only collect and store data for well understood use. Data should be evaluated for it’s overall value to the organization and—just as importantly—the risk it can pose to the organization. Unless the cost to acquire the data in the future is so ridiculously high that it’s infeasible, you should always opt to collect and store the data when you have a concrete use for it.”
That’s common sense, but the excitement surrounding IOT has made it clear that common sense doesn’t enter into it. At least not in the design and implementation phase. Only once they’re caught not giving a damn about security or privacy are these over-enthusiastic companies suddenly model citizens. Vtech is of course no exception, since issuing a press release stating it has shuttered many of the websites hoovering up this data. The company also reiterates how it’s “committed to protecting our customer information and privacy”:
“We are committed to protecting our customer information and their privacy, to ensure against any such incidents in the future. Our Privacy Statement can be found on our website here. The investigation continues as we look at additional ways to strengthen the security of all on-line services provided by VTech. We will provide further updates as appropriate in the future.”
But if companies were so breathlessly committed to privacy, they wouldn’t rush products to market and leave fundamental security standards as a distant afterthought in the first place. And with everything from your smart toaster to your kids’ Barbie doll now gobbling up an ocean of household data, it’s going to be an increasingly ugly lesson to learn.