Toy Maker Vtech Hacked, Revealing Kids' Selfies, Chat Logs, & Even Voice Recordings

from the because-we-can dept

As companies race to embrace the inanely-named “internet of things” (IOT), security and privacy are usually a very distant afterthought. That’s been made painfully apparent by “smart” refrigerators that expose your Gmail credentials, “smart” TVs that transmit your living room conversations unencrypted, or “smart” tea kettles that compromise your Wi-Fi network security. In all these examples the story remains the same: everybody’s so excited to connect everything and anything to the internet, few companies can be bothered to do so intelligently and correctly.

And with the mad rush to bring this kind of aggressive myopia to toys, the lack of security is now impacting kids as well. Late last week a hacker revealed that he (or she) had hacked into the servers of Hong-Kong-based toy company Vtech, exposing the data collected by the company’s “Kid Connect” service (which lets parents use smartphones to talk to kids using toy tablets and other devices). Once inside, the hacker obtained the names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 kids.

What’s more, the hack revealed that Vtech was storing kid selfies, voice recordings, and even entire chat logs between parents and their kids. In short, Vtech was gathering and saving pretty much anything these devices could get their hands on. VTech didn’t respond to questions regarding why it needed to store all this data. And that’s likely because, like most IOT gear makers, it didn’t much think about it. It was so enamored with the gee whizery of gobbling up all manner of user data for later use, it couldn’t much be bothered to ensure fundamental security best practices.

As Mark Nunnikhoven at Trend Micro remarked shortly after the hack was revealed, the lure of IOT has many companies collecting far more data than they could ever even conceivably need — just because they can:

“This opens the organizations up to unnecessary risk. If the words “might”, “possible”, or “potential” are used in an argument supporting the collection of data, you’re about to violate the principle of least data. You should only collect and store data for well understood use. Data should be evaluated for it’s overall value to the organization and?just as importantly?the risk it can pose to the organization. Unless the cost to acquire the data in the future is so ridiculously high that it’s infeasible, you should always opt to collect and store the data when you have a concrete use for it.”

That’s common sense, but the excitement surrounding IOT has made it clear that common sense doesn’t enter into it. At least not in the design and implementation phase. Only once they’re caught not giving a damn about security or privacy are these over-enthusiastic companies suddenly model citizens. Vtech is of course no exception, since issuing a press release stating it has shuttered many of the websites hoovering up this data. The company also reiterates how it’s “committed to protecting our customer information and privacy”:

“We are committed to protecting our customer information and their privacy, to ensure against any such incidents in the future. Our Privacy Statement can be found on our website here. The investigation continues as we look at additional ways to strengthen the security of all on-line services provided by VTech. We will provide further updates as appropriate in the future.”

But if companies were so breathlessly committed to privacy, they wouldn’t rush products to market and leave fundamental security standards as a distant afterthought in the first place. And with everything from your smart toaster to your kids’ Barbie doll now gobbling up an ocean of household data, it’s going to be an increasingly ugly lesson to learn.

Filed Under: , , , , ,
Companies: vtech

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Toy Maker Vtech Hacked, Revealing Kids' Selfies, Chat Logs, & Even Voice Recordings”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Vtech deserves the lion’s share of the blame, and there is role for parental responsibility to play. This is a teachable moment not only to the parents who thoughtlessly consent to this, but to the children who are learning that personal information disclosure is not only routine, but becoming an expected part of play, growth, and development.

Anonymous Coward says:

I suspect that companies in this space will only start to take privacy and data protection seriously when serious fines — say, a statutory $1000 per person affected, payable within a week of the breach — are imposed for cases where well-defined data protection best practices were not followed.

The $1000 seems small compared to the potential damage done to each person, but the resulting $4.8 billion fine wouldn’t be out of place, no? It’d certainly start getting some attention…

Anonymous Coward says:

Vtech needs to be sued out of business quickly

Once inside, the hacker obtained the names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 kids.

This is a pedophile’s or identity thief’s dream: it’s enough to convince children “mom sent me to pick you up, hey look, I even know your birthday” or enough to start setting up identity theft that happens years down the road.

Unless Vtech is absolutely hammered for this, other companies will do the same. And in doing so, they’re going to expose an entire generation of children to massive risk for no reason other than their own hubris.

art guerrilla (profile) says:

Re: Re: Vtech needs to be sued out of business quickly

yes, they could…
the sheeple could do ALL sorts of stuff if they acted in concert…
prolly not gonna happen until the bread and circuses run out…
then it will be too late…

besides -no slur upon techdirtia- but how many parents are tuned in to this website on the off chance some tech-related story has this impact on their special snowflakes ? ? ?
otherwise, it gets a 10 second mention on the mainstream news, then down the memory hole it is flushed ! ! !

vastrightwing (profile) says:

Buy dumb appliances

I bought a dumb TV recently, but it was hard because the stores don’t carry dumb tvs on the floor. They are special items now. The sales guy said the smart tv is so much better than the dumb tv. Sure, better for him and the manufacturer.

Home equipment like lawn gear now has software in it we can’t do anything with. Now toys. Of course we can’t inspect the software because manufacturers don’t want us to know what it is doing. Case in point, VW sure didn’t want any one poking around to discover its trade secret. Right!

I see a new market for dumb appliances as they become harder and harder to find.

Anonymous Coward says:

Re: Buy dumb appliances

I bought a dumb TV recently, but it was hard because the stores don’t carry dumb tvs on the floor.

You can still buy computer monitors, which may be good enough if you’re using a cable box or DVR with HDMI output. They’re not as enormous as modern TVs, but they’re as big as the CRT televisions many of us grew up with (right until LCDs obsoleted them in the 2000s).

tqk (profile) says:

Are they investigating the implementers too, I hope?

The investigation continues as we look at additional ways to strengthen the security of all on-line services provided by VTech.

Additional to the current absolute lack of security, as apparently there was none. How can people write shit like this with a straight face? Have we managed to completely de-select away that gene that once allowed us to admit, “We fucked up, sorry. We’ll do our best to fix this, and put in the necessary effort to ensure nothing like it ever happens again. We feel really stupid right now, and the idiot whose job it was to handle this is being flogged to death as we write.”

Mason Wheeler (profile) says:

Once inside, the hacker obtained the … passwords, … of 4,833,678 parents

That right there should be considered a priori evidence of criminal negligence on the part of VTech. It’s basically Websites 101 that if you store passwords in such a way that it’s possible for a hacker to read them, you’re Doing It Wrong.

Some people without experience in such matters may look at this and say, “but wait, if you don’t store the password, how do you validate it when you log in?” The answer is, you store a hash of the password, which is a technical transformation that’s kind of like encryption, except it can only be performed one-way. (You can decrypt something that’s been encrypted if you have the key, but you can’t de-hash hashed data.) When the person tries to log in, you hash the password that they sent and if the hash matches, you’re confident that the password is correct, since a properly designed cryptographic hash makes it exceptionally unlikely that two different passwords will hash to the same value.

Getting the details of password hashing right can be complicated, but if the hacker got everyone’s passwords, that means VTech was almost certainly storing them in plain text (not hashed at all) or using a hash that’s known to be broken (the math for some of them has flaws that do make it possible to reverse the hashing process a lot of the time). Doing either one would be considered grossly negligent by any competent programmer.

Stephen says:

As companies race to embrace the inanely-named “internet of things” (IOT), security and privacy are usually a very distant afterthought.

So it seems! I’ve been reading Troy Hunt’s analysis of the hack at:

and some of these details show just how naive at Net security Vtech truly was.

For example, there is no SSL anywhere. All communications are over unencrypted connections including when passwords, parent’s details and sensitive information about kids is transmitted. These days, we’re well beyond the point of arguing this is ok – it’s not. …

[O]nce the passwords hit the database… they’re protected with nothing more than a straight MD5 hash which is so close to useless for anything but very strong passwords (which people rarely create), they may as well have not even bothered. The kids’ passwords are just plain text…

Storing passwords as plain text is all too cokmmon evn now, and not confined to children’s products. There is a manufacturer of internet modems & routers which does the same thing with the admin passwords for at least some of its ADSL2 modem routers meant for home use!

As for the impact of this particular hack, VTech itself now admits:

In total 4,854,209 customer (parent) accounts and 6,368,509 related kid profiles worldwide are affected, which includes approximately 1.2 million Kid Connect parent accounts. In addition, there are 235,708 parent and 227,705 kids accounts in PlanetVTech. Kid profiles unlike account profiles only include name, gender and birthdate

Given the growing trend towards connecting everything to the Net the VTech and their problem probably merely represents the small tip of a large (and growing) iceberg.

Anonymous Coward says:

Yes, blame the hacker, but blame the company more!

There is only one way to make a greedy person/company spend money on reasonable protection… hit their wallet.
It is ridiculous to watch these big companies basically leaving the door open and getting away with blaming the hacker every time.
I know they will lose customers and future profit, but the amount pales compared to what they have made from those products in the past so in the end, it is a payday and a financial reason not to do it.
The favorite excuse is that “it’s business, what did you expect?” Well I do expect businesses to act like adults and act responsible with the valuables that people entrust to them. For far too long we have accepted atrocities in the name of money and business.
Maybe we need to treat them like children if then insist of acting like it. With that I mean to send someone to do some serious forced security audits from an external source and make them pay when they don’t live up to reasonable standards. They obviously aren’t grown enough to police themselves.
There needs to be a trial when data shows up on the internet, but both for the hacker and the company. If the company is found, by a security expert, to not live up to security that fits their exposure, the kind of data leaked the size of the company and other factors. Lastly they need to really feel the punishment so they can come to no other conclusion that better security practices are the only profitable way to go.

Violynne (profile) says:

It’s easy to blame the company for its lack of security, but the ultimate responsibility lies on the consumer, who did not use any common sense while purchasing and using the product.

Companies don’t care about security for one reason: they’re not held accountable for any breach of information. While it’s true they must offer credit protection, the consumer is still required to take the offer. Otherwise, the company walks and the consumer deals with the fallout.

Anonymous Coward says:

Re: Re:

I disagree on this.

The ultimate responsibility lies on the company because, well, it is their responsibility to do so.

That’s like saying that the responsibility of someone dying in the operation room is the patient’s (in cases where there was a fuck up from the doctors’ side, I mean), because they chose to go to that doctor instead of to another that wouldn’t be so negligent.

You are not supposed to know the specifics of any service you pay because it isn’t your job to do so. That’s why you hire them. If they are required by law to meet some standards, then they got to follow them. And if they aren’t, then it’s time to change the laws so that they are supposed to work the way we want, and not the way they want.

The only responsibility of a customer is to pay for the service provided and to use it responsibly, taking into account the limits any normal person has.

Any problem related to the product or that is too complex for your normal customer to tackle, that’s the provider’s responsibility and not yours.

Because that’s what means being a professional. You take responsibility for your work, not your customer. You’re the expert, not him.

Anonymous Coward says:

Re: Re: Re:

The only responsibility of a customer is to pay for the service provided and to use it responsibly, taking into account the limits any normal person has.

While I mostly agree, shouldn’t parents have been hesitant to provide their children’s birthdates and home addresses? (A home address is understandable if Vtech were going to mail a product but it doesn’t seem that was happening.) It’s odd that we didn’t hear about this data collection till now. Somebody should have been alarmed they were even requesting it, and went to the media if Vtech didn’t respond by making it optional or offering a product refund.

Klaus says:

Re: Re:

I too must disagree. Vtech are a Hong Kong based company. Their collection of personal data falls under the jurisdiction of Hong Kong’s Personal Data Ordinance. VTech are meant to:

1. Ensure the collection of personal data is lawful, fair and not excessive. VTech must identify to a data subject the information it is collecting about them.

2. Ensure that all practicable steps have been taken to protect personal data against unauthorized or accidental access.

Unless VTech really did make an effort in the security department, they are royally screwed.

Anonymous Coward says:

Catalog Coming Soon

Coming soon to a dark net near you…

From Vtech, we have acquired a large atabase of the following information:

“… names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 kids.”

These data allow us to provide a catalog, shopping app with entries of the form:

gender (sortable)
age (sortable)
picture (some)
home address
parents’ names

The catalog app offers a distance filter that allows the user to a personal geolocation and maximum radius to identify potentionally local items.

John Fenderson (profile) says:

IoT done wrong

The lure of IOT has many companies collecting far more data than they could ever even conceivably need

Which is why everyone should avoid IoT things like the plague. The sad thing is that IoT could be done in a way that eliminates this problem simply by having the devices talk to a server placed in the home instead of in the cloud. But that would eliminate the entire entire reason companies are so excited about IoT: the expanded spying opportunities.

Cranky says:

Everyone's been kinda slow on the uptake here

Since I saw this news come out last weekend, one specific claim has had my BS detector going off-scale: that the leak involved the information of over 4 million parents, but only about 200,000 children.

Think about that ratio for a minute. (Go on, I’ll wait.)

How is it that nobody seems to have questioned this completely upside-down ratio? If over 4 million parents apparently bought and registered vtech’s surveillance toys,
how is it that 3.8 million of these rocket scientists managed not to give the toys to their children? (I’m having trouble accepting the notion that these parents failed to “personalize” their unfortunate children’s “experience” by passing along all the info vtech seems to have been fishing for.)

And now I see that my suspicion was well founded: vtech now admits that the number of affected toddlers is actually over 6 million, not the 200,000 they first claimed. (El Reg has a fresh article on this.)

I’m a bit disappointed in the apparent lack of attention demonstrated by these vtech articles. You guys can surely do better.

Alex Ferreira (user link) says:

Is to track fatality

The Bank of blood and gene is increasingly strong and safe closed ..

Help me this despair, which could infect strategy send the investors, entrepreneurs, filmmakers, and other sites to bring the significance of this proposal to Brazil’s production anonymously, hoping to be denied the significance of this proposal is to track fatality.

I ask an opportunity to Cinema, the proposed production of the film “Bohr”, Atomic particle.

“Bohr” the atomic particle.

Proposal for innovative script

Movie “The Higgs particle” where the scenario starts a simple laboratory in Brazil specifically in the Amazon regions, with a young (I acting Children’s theater) suffering from childhood polio and loss of immune gene disease.
Young man who blew energetically disintegrating in the laboratory in Brazil and reappearing in the laboratory of LHC in Switzerland, such experiment similar to super. Hero Dr. Manhattan, only energy superhero color eletronspectra light all white. “Film to portray man’s physical phenomenon that turns atom, rewind the birth of the universe, where humans eventually return to the core element of which arose” The BIG BAM “.

Scenarios: Planet Earth where the vieja cumbre Volcano and other volcanoes on the planet explodes soon after contamination energy radiation releasing fungi, bacteria and viruses animated monsters (The LHC experiment) where you light guide these monsters to the planet Mars, and a wave of struggles and funny burnt …

Earth: Still on Mars man comet gets telepathically tsunami wave image that reach reef status in Alagoas (Northeast) and Brazil, due to the explosion of the volcano, returning to earth and a bright sun contains enraged …


Girlfriend Bohr: girlfriend middle eastern nationality Medica

At the hospital: When returning from tsunami help a child with two heads Indian heal herself with the senses.

Universe, Lord receives light from the planet Aldebaran subconscious suffering from a cata confirmation, conflicts of tribes of giants God of War (the game character play), which transfers them to another planet dimension.

Planets: Three planets are visited by enlightened, with similar cities to the cities of star war and Lord of the Rings who have experienced space gravitation if our way lacta is reached.

I will be happy if they advertising correction of this proposal responding.

“Movie Proposal, the light of God’s creation and the birth of the human universe (Particle Bohr), lord of dreams,” The Shining “”.

Other proposals that could make criticisms and comments of these advertisements:
Game festival for children / Launch Game Man Atom
Campaign aims Presidency of Brazil
Movie Michelangelo, the painter.
The fall of the Roman Empire
jazz band season gospel

Teatro Infantil / Law / Entrepreneur and business chief.
Maranhão / 35 years / Unimed Health cards
. Pass, War steps, n 52 – Guama / Bethlehem, Pa.
Cep 66073-240
Tel (91) 3253-8717 / 98993-3627
FACEBOOK – Alex Ferreira

Site of my company:
Neves Carrier Ltd. Surveillance Services

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...