RSS
Toy Maker Vtech Hacked, Revealing Kids' Selfies, Chat Logs, & Even Voice Recordings
from the because-we-can dept
As companies race to embrace the inanely-named "internet of things" (IOT), security and privacy are usually a very distant afterthought. That's been made painfully apparent by "smart" refrigerators that expose your Gmail credentials, "smart" TVs that transmit your living room conversations unencrypted, or "smart" tea kettles that compromise your Wi-Fi network security. In all these examples the story remains the same: everybody's so excited to connect everything and anything to the internet, few companies can be bothered to do so intelligently and correctly.
And with the mad rush to bring this kind of aggressive myopia to toys, the lack of security is now impacting kids as well. Late last week a hacker revealed that he (or she) had hacked into the servers of Hong-Kong-based toy company Vtech, exposing the data collected by the company's "Kid Connect" service (which lets parents use smartphones to talk to kids using toy tablets and other devices). Once inside, the hacker obtained the names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 kids.
What's more, the hack revealed that Vtech was storing kid selfies, voice recordings, and even entire chat logs between parents and their kids. In short, Vtech was gathering and saving pretty much anything these devices could get their hands on. VTech didn't respond to questions regarding why it needed to store all this data. And that's likely because, like most IOT gear makers, it didn't much think about it. It was so enamored with the gee whizery of gobbling up all manner of user data for later use, it couldn't much be bothered to ensure fundamental security best practices.
As Mark Nunnikhoven at Trend Micro remarked shortly after the hack was revealed, the lure of IOT has many companies collecting far more data than they could ever even conceivably need -- just because they can:
And with the mad rush to bring this kind of aggressive myopia to toys, the lack of security is now impacting kids as well. Late last week a hacker revealed that he (or she) had hacked into the servers of Hong-Kong-based toy company Vtech, exposing the data collected by the company's "Kid Connect" service (which lets parents use smartphones to talk to kids using toy tablets and other devices). Once inside, the hacker obtained the names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 kids.
What's more, the hack revealed that Vtech was storing kid selfies, voice recordings, and even entire chat logs between parents and their kids. In short, Vtech was gathering and saving pretty much anything these devices could get their hands on. VTech didn't respond to questions regarding why it needed to store all this data. And that's likely because, like most IOT gear makers, it didn't much think about it. It was so enamored with the gee whizery of gobbling up all manner of user data for later use, it couldn't much be bothered to ensure fundamental security best practices.
As Mark Nunnikhoven at Trend Micro remarked shortly after the hack was revealed, the lure of IOT has many companies collecting far more data than they could ever even conceivably need -- just because they can:
"This opens the organizations up to unnecessary risk. If the words "might", "possible", or "potential" are used in an argument supporting the collection of data, you're about to violate the principle of least data. You should only collect and store data for well understood use. Data should be evaluated for it's overall value to the organization and—just as importantly—the risk it can pose to the organization. Unless the cost to acquire the data in the future is so ridiculously high that it's infeasible, you should always opt to collect and store the data when you have a concrete use for it."That's common sense, but the excitement surrounding IOT has made it clear that common sense doesn't enter into it. At least not in the design and implementation phase. Only once they're caught not giving a damn about security or privacy are these over-enthusiastic companies suddenly model citizens. Vtech is of course no exception, since issuing a press release stating it has shuttered many of the websites hoovering up this data. The company also reiterates how it's "committed to protecting our customer information and privacy":
"We are committed to protecting our customer information and their privacy, to ensure against any such incidents in the future. Our Privacy Statement can be found on our website here. The investigation continues as we look at additional ways to strengthen the security of all on-line services provided by VTech. We will provide further updates as appropriate in the future."But if companies were so breathlessly committed to privacy, they wouldn't rush products to market and leave fundamental security standards as a distant afterthought in the first place. And with everything from your smart toaster to your kids' Barbie doll now gobbling up an ocean of household data, it's going to be an increasingly ugly lesson to learn.
Reader Comments (rss)
(Flattened / Threaded)
[ reply to this | link to this | view in thread ]
[ reply to this | link to this | view in thread ]
The $1000 seems small compared to the potential damage done to each person, but the resulting $4.8 billion fine wouldn't be out of place, no? It'd certainly start getting some attention...
[ reply to this | link to this | view in thread ]
Vtech needs to be sued out of business quickly
This is a pedophile's or identity thief's dream: it's enough to convince children "mom sent me to pick you up, hey look, I even know your birthday" or enough to start setting up identity theft that happens years down the road.
Unless Vtech is absolutely hammered for this, other companies will do the same. And in doing so, they're going to expose an entire generation of children to massive risk for no reason other than their own hubris.
[ reply to this | link to this | view in thread ]
Just like "No Capes!" ..
[ reply to this | link to this | view in thread ]
Re: Vtech needs to be sued out of business quickly
People could simply stop buying Vtech products.
[ reply to this | link to this | view in thread ]
Buy dumb appliances
Home equipment like lawn gear now has software in it we can't do anything with. Now toys. Of course we can't inspect the software because manufacturers don't want us to know what it is doing. Case in point, VW sure didn't want any one poking around to discover its trade secret. Right!
I see a new market for dumb appliances as they become harder and harder to find.
[ reply to this | link to this | view in thread ]
Re: Buy dumb appliances
I think that may be problematic.
[ reply to this | link to this | view in thread ]
Re: Re: Vtech needs to be sued out of business quickly
the sheeple could do ALL sorts of stuff if they acted in concert...
prolly not gonna happen until the bread and circuses run out...
then it will be too late...
besides -no slur upon techdirtia- but how many parents are tuned in to this website on the off chance some tech-related story has this impact on their special snowflakes ? ? ?
otherwise, it gets a 10 second mention on the mainstream news, then down the memory hole it is flushed ! ! !
[ reply to this | link to this | view in thread ]
Re: Vtech needs to be sued out of business quickly
You mean wet dream, right? Because all around, I do believe that's more accurate. Not to be disgusting.
[ reply to this | link to this | view in thread ]
Re: Re: Re: Vtech needs to be sued out of business quickly
[ reply to this | link to this | view in thread ]
[ reply to this | link to this | view in thread ]
Are they investigating the implementers too, I hope?
Additional to the current absolute lack of security, as apparently there was none. How can people write shit like this with a straight face? Have we managed to completely de-select away that gene that once allowed us to admit, "We fucked up, sorry. We'll do our best to fix this, and put in the necessary effort to ensure nothing like it ever happens again. We feel really stupid right now, and the idiot whose job it was to handle this is being flogged to death as we write."
[ reply to this | link to this | view in thread ]
Re: Vtech needs to be sued out of business quickly
[ reply to this | link to this | view in thread ]
That right there should be considered a priori evidence of criminal negligence on the part of VTech. It's basically Websites 101 that if you store passwords in such a way that it's possible for a hacker to read them, you're Doing It Wrong.
Some people without experience in such matters may look at this and say, "but wait, if you don't store the password, how do you validate it when you log in?" The answer is, you store a hash of the password, which is a technical transformation that's kind of like encryption, except it can only be performed one-way. (You can decrypt something that's been encrypted if you have the key, but you can't de-hash hashed data.) When the person tries to log in, you hash the password that they sent and if the hash matches, you're confident that the password is correct, since a properly designed cryptographic hash makes it exceptionally unlikely that two different passwords will hash to the same value.
Getting the details of password hashing right can be complicated, but if the hacker got everyone's passwords, that means VTech was almost certainly storing them in plain text (not hashed at all) or using a hash that's known to be broken (the math for some of them has flaws that do make it possible to reverse the hashing process a lot of the time). Doing either one would be considered grossly negligent by any competent programmer.
[ reply to this | link to this | view in thread ]
Re: Vtech needs to be sued out of business quickly
[ reply to this | link to this | view in thread ]
Think of the children!! It's for the children!!
Now, advocates for privacy and encryption got the proper argument to make so that the government does what they want.
[ reply to this | link to this | view in thread ]
CYOA
[ reply to this | link to this | view in thread ]
[ reply to this | link to this | view in thread ]
Re: Re: Vtech needs to be sued out of business quickly
Yes they could, but unless Vtech is punished hard for this, what's going to motivate the next company to install more safeguards and not collect so much data? Absolutely nothing.
[ reply to this | link to this | view in thread ]
http://www.troyhunt.com/2015/11/when-children-are-breached-inside.html
and some of these details show just how naive at Net security Vtech truly was.
Storing passwords as plain text is all too cokmmon evn now, and not confined to children's products. There is a manufacturer of internet modems & routers which does the same thing with the admin passwords for at least some of its ADSL2 modem routers meant for home use!
As for the impact of this particular hack, VTech itself now admits:
https://www.vtech.com/en/press_release/2015/faq-about-data-breach-on-vtech-learning-lodge/
Given the growing trend towards connecting everything to the Net the VTech and their problem probably merely represents the small tip of a large (and growing) iceberg.
[ reply to this | link to this | view in thread ]
Yes, blame the hacker, but blame the company more!
It is ridiculous to watch these big companies basically leaving the door open and getting away with blaming the hacker every time.
I know they will lose customers and future profit, but the amount pales compared to what they have made from those products in the past so in the end, it is a payday and a financial reason not to do it.
The favorite excuse is that "it's business, what did you expect?" Well I do expect businesses to act like adults and act responsible with the valuables that people entrust to them. For far too long we have accepted atrocities in the name of money and business.
Maybe we need to treat them like children if then insist of acting like it. With that I mean to send someone to do some serious forced security audits from an external source and make them pay when they don't live up to reasonable standards. They obviously aren't grown enough to police themselves.
There needs to be a trial when data shows up on the internet, but both for the hacker and the company. If the company is found, by a security expert, to not live up to security that fits their exposure, the kind of data leaked the size of the company and other factors. Lastly they need to really feel the punishment so they can come to no other conclusion that better security practices are the only profitable way to go.
[ reply to this | link to this | view in thread ]
Companies don't care about security for one reason: they're not held accountable for any breach of information. While it's true they must offer credit protection, the consumer is still required to take the offer. Otherwise, the company walks and the consumer deals with the fallout.
[ reply to this | link to this | view in thread ]
Re:
The ultimate responsibility lies on the company because, well, it is their responsibility to do so.
That's like saying that the responsibility of someone dying in the operation room is the patient's (in cases where there was a fuck up from the doctors' side, I mean), because they chose to go to that doctor instead of to another that wouldn't be so negligent.
You are not supposed to know the specifics of any service you pay because it isn't your job to do so. That's why you hire them. If they are required by law to meet some standards, then they got to follow them. And if they aren't, then it's time to change the laws so that they are supposed to work the way we want, and not the way they want.
The only responsibility of a customer is to pay for the service provided and to use it responsibly, taking into account the limits any normal person has.
Any problem related to the product or that is too complex for your normal customer to tackle, that's the provider's responsibility and not yours.
Because that's what means being a professional. You take responsibility for your work, not your customer. You're the expert, not him.
[ reply to this | link to this | view in thread ]
Catalog Coming Soon
From Vtech, we have acquired a large atabase of the following information:
"... names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 kids."
These data allow us to provide a catalog, shopping app with entries of the form:
gender (sortable)
age (sortable)
picture (some)
home address
name
parents' names
The catalog app offers a distance filter that allows the user to a personal geolocation and maximum radius to identify potentionally local items.
[ reply to this | link to this | view in thread ]
Re: Catalog Coming Soon
Vtech should not just be sued, it should be prosecuted.
[ reply to this | link to this | view in thread ]
Re: Buy dumb appliances
[ reply to this | link to this | view in thread ]
Re: Re:
[ reply to this | link to this | view in thread ]
Re:
To me it seems that whoever implemented it, knew that a password should be hashed, but wasn't knowledgeable or experienced enough to know exactly how to do it properly.
[ reply to this | link to this | view in thread ]
IoT done wrong
Which is why everyone should avoid IoT things like the plague. The sad thing is that IoT could be done in a way that eliminates this problem simply by having the devices talk to a server placed in the home instead of in the cloud. But that would eliminate the entire entire reason companies are so excited about IoT: the expanded spying opportunities.
[ reply to this | link to this | view in thread ]
Re: Re:
Which is almost as bad as not hashing them at all.
[ reply to this | link to this | view in thread ]
Everyone's been kinda slow on the uptake here
Think about that ratio for a minute. (Go on, I'll wait.)
How is it that nobody seems to have questioned this completely upside-down ratio? If over 4 million parents apparently bought and registered vtech's surveillance toys,
how is it that 3.8 million of these rocket scientists managed not to give the toys to their children? (I'm having trouble accepting the notion that these parents failed to "personalize" their unfortunate children's "experience" by passing along all the info vtech seems to have been fishing for.)
And now I see that my suspicion was well founded: vtech now admits that the number of affected toddlers is actually over 6 million, not the 200,000 they first claimed. (El Reg has a fresh article on this.)
I'm a bit disappointed in the apparent lack of attention demonstrated by these vtech articles. You guys can surely do better.
[ reply to this | link to this | view in thread ]
Re:
https://en.wikipedia.org/wiki/Room_641A
[ reply to this | link to this | view in thread ]
Re: Everyone's been kinda slow on the uptake here
Silly me.
---
[ reply to this | link to this | view in thread ]
Re: Re: Everyone's been kinda slow on the uptake here
[ reply to this | link to this | view in thread ]
Re:
1. Ensure the collection of personal data is lawful, fair and not excessive. VTech must identify to a data subject the information it is collecting about them.
2. Ensure that all practicable steps have been taken to protect personal data against unauthorized or accidental access.
Unless VTech really did make an effort in the security department, they are royally screwed.
[ reply to this | link to this | view in thread ]
Re: Everyone's been kinda slow on the uptake here
[ reply to this | link to this | view in thread ]
Add Your Comment