Toy Maker Vtech Hacked, Revealing Kids' Selfies, Chat Logs, & Even Voice Recordings
from the because-we-can dept
As companies race to embrace the inanely-named “internet of things” (IOT), security and privacy are usually a very distant afterthought. That’s been made painfully apparent by “smart” refrigerators that expose your Gmail credentials, “smart” TVs that transmit your living room conversations unencrypted, or “smart” tea kettles that compromise your Wi-Fi network security. In all these examples the story remains the same: everybody’s so excited to connect everything and anything to the internet, few companies can be bothered to do so intelligently and correctly.
And with the mad rush to bring this kind of aggressive myopia to toys, the lack of security is now impacting kids as well. Late last week a hacker revealed that he (or she) had hacked into the servers of Hong-Kong-based toy company Vtech, exposing the data collected by the company’s “Kid Connect” service (which lets parents use smartphones to talk to kids using toy tablets and other devices). Once inside, the hacker obtained the names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 kids.
What’s more, the hack revealed that Vtech was storing kid selfies, voice recordings, and even entire chat logs between parents and their kids. In short, Vtech was gathering and saving pretty much anything these devices could get their hands on. VTech didn’t respond to questions regarding why it needed to store all this data. And that’s likely because, like most IOT gear makers, it didn’t much think about it. It was so enamored with the gee whizery of gobbling up all manner of user data for later use, it couldn’t much be bothered to ensure fundamental security best practices.
As Mark Nunnikhoven at Trend Micro remarked shortly after the hack was revealed, the lure of IOT has many companies collecting far more data than they could ever even conceivably need — just because they can:
“This opens the organizations up to unnecessary risk. If the words “might”, “possible”, or “potential” are used in an argument supporting the collection of data, you’re about to violate the principle of least data. You should only collect and store data for well understood use. Data should be evaluated for it’s overall value to the organization and?just as importantly?the risk it can pose to the organization. Unless the cost to acquire the data in the future is so ridiculously high that it’s infeasible, you should always opt to collect and store the data when you have a concrete use for it.”
That’s common sense, but the excitement surrounding IOT has made it clear that common sense doesn’t enter into it. At least not in the design and implementation phase. Only once they’re caught not giving a damn about security or privacy are these over-enthusiastic companies suddenly model citizens. Vtech is of course no exception, since issuing a press release stating it has shuttered many of the websites hoovering up this data. The company also reiterates how it’s “committed to protecting our customer information and privacy”:
“We are committed to protecting our customer information and their privacy, to ensure against any such incidents in the future. Our Privacy Statement can be found on our website here. The investigation continues as we look at additional ways to strengthen the security of all on-line services provided by VTech. We will provide further updates as appropriate in the future.”
But if companies were so breathlessly committed to privacy, they wouldn’t rush products to market and leave fundamental security standards as a distant afterthought in the first place. And with everything from your smart toaster to your kids’ Barbie doll now gobbling up an ocean of household data, it’s going to be an increasingly ugly lesson to learn.
Filed Under: hack, internet of things, kids, logs, privacy, toys
Companies: vtech
Comments on “Toy Maker Vtech Hacked, Revealing Kids' Selfies, Chat Logs, & Even Voice Recordings”
And remember folks the THIRD PARTY doctrine applies to all this data they are hoovering up. The Government comes a knocking they will have to hand it all over because you have NO expectation of privacy.
Vtech deserves the lion’s share of the blame, and there is role for parental responsibility to play. This is a teachable moment not only to the parents who thoughtlessly consent to this, but to the children who are learning that personal information disclosure is not only routine, but becoming an expected part of play, growth, and development.
I suspect that companies in this space will only start to take privacy and data protection seriously when serious fines — say, a statutory $1000 per person affected, payable within a week of the breach — are imposed for cases where well-defined data protection best practices were not followed.
The $1000 seems small compared to the potential damage done to each person, but the resulting $4.8 billion fine wouldn’t be out of place, no? It’d certainly start getting some attention…
Vtech needs to be sued out of business quickly
Once inside, the hacker obtained the names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 kids.
This is a pedophile’s or identity thief’s dream: it’s enough to convince children “mom sent me to pick you up, hey look, I even know your birthday” or enough to start setting up identity theft that happens years down the road.
Unless Vtech is absolutely hammered for this, other companies will do the same. And in doing so, they’re going to expose an entire generation of children to massive risk for no reason other than their own hubris.
Re: Vtech needs to be sued out of business quickly
Re: Re: Vtech needs to be sued out of business quickly
yes, they could…
the sheeple could do ALL sorts of stuff if they acted in concert…
prolly not gonna happen until the bread and circuses run out…
then it will be too late…
besides -no slur upon techdirtia- but how many parents are tuned in to this website on the off chance some tech-related story has this impact on their special snowflakes ? ? ?
otherwise, it gets a 10 second mention on the mainstream news, then down the memory hole it is flushed ! ! !
Re: Re: Re: Vtech needs to be sued out of business quickly
All the contact information is out there. Maybe little Jimmys picture on a postcard will get their attention?
Re: Re: Vtech needs to be sued out of business quickly
Yes they could, but unless Vtech is punished hard for this, what’s going to motivate the next company to install more safeguards and not collect so much data? Absolutely nothing.
Re: Vtech needs to be sued out of business quickly
You mean wet dream, right? Because all around, I do believe that’s more accurate. Not to be disgusting.
Re: Vtech needs to be sued out of business quickly
Hubris…no. Profit…yes.
Re: Vtech needs to be sued out of business quickly
every company that sell there products without a warning [all]should be sued who needs a toysR.
Just like "No Capes!" ..
No apps! Ever.
Buy dumb appliances
I bought a dumb TV recently, but it was hard because the stores don’t carry dumb tvs on the floor. They are special items now. The sales guy said the smart tv is so much better than the dumb tv. Sure, better for him and the manufacturer.
Home equipment like lawn gear now has software in it we can’t do anything with. Now toys. Of course we can’t inspect the software because manufacturers don’t want us to know what it is doing. Case in point, VW sure didn’t want any one poking around to discover its trade secret. Right!
I see a new market for dumb appliances as they become harder and harder to find.
Re: Buy dumb appliances
How many different ways does ‘smart appliance” exemplify oxymoronic? I understand that they did not bake security into the ‘net’ originally, but will we be able to buy toasters for cash without giving away our life history in the future?
I think that may be problematic.
Re: Buy dumb appliances
You can still buy computer monitors, which may be good enough if you’re using a cable box or DVR with HDMI output. They’re not as enormous as modern TVs, but they’re as big as the CRT televisions many of us grew up with (right until LCDs obsoleted them in the 2000s).
Vtech did not kick in…..
Are they investigating the implementers too, I hope?
Additional to the current absolute lack of security, as apparently there was none. How can people write shit like this with a straight face? Have we managed to completely de-select away that gene that once allowed us to admit, “We fucked up, sorry. We’ll do our best to fix this, and put in the necessary effort to ensure nothing like it ever happens again. We feel really stupid right now, and the idiot whose job it was to handle this is being flogged to death as we write.”
Re: CYOA
If they admit that they had no security to speak of, they then open themselves up to lawsuits for gross negligence. By framing it instead as not having had enough security though, the blame is shifted away from them.
That right there should be considered a priori evidence of criminal negligence on the part of VTech. It’s basically Websites 101 that if you store passwords in such a way that it’s possible for a hacker to read them, you’re Doing It Wrong.
Some people without experience in such matters may look at this and say, “but wait, if you don’t store the password, how do you validate it when you log in?” The answer is, you store a hash of the password, which is a technical transformation that’s kind of like encryption, except it can only be performed one-way. (You can decrypt something that’s been encrypted if you have the key, but you can’t de-hash hashed data.) When the person tries to log in, you hash the password that they sent and if the hash matches, you’re confident that the password is correct, since a properly designed cryptographic hash makes it exceptionally unlikely that two different passwords will hash to the same value.
Getting the details of password hashing right can be complicated, but if the hacker got everyone’s passwords, that means VTech was almost certainly storing them in plain text (not hashed at all) or using a hash that’s known to be broken (the math for some of them has flaws that do make it possible to reverse the hashing process a lot of the time). Doing either one would be considered grossly negligent by any competent programmer.
Re: Re:
According to what I’ve read from Troy Hunt’s analysis, the passwords were hashed. Although they used a simple MD5 hash without a salt.
To me it seems that whoever implemented it, knew that a password should be hashed, but wasn’t knowledgeable or experienced enough to know exactly how to do it properly.
Re: Re: Re:
“Although they used a simple MD5 hash without a salt.”
Which is almost as bad as not hashing them at all.
We need to strengthen privacy laws and reinforce encryption.
Think of the children!! It’s for the children!!
Now, advocates for privacy and encryption got the proper argument to make so that the government does what they want.
Three words: NSA.
Re: Re:
If they ever passed this information across the internet – then the NSA(and likely other agencies) has a copy of it.
https://en.wikipedia.org/wiki/Room_641A
So it seems! I’ve been reading Troy Hunt’s analysis of the hack at:
http://www.troyhunt.com/2015/11/when-children-are-breached-inside.html
and some of these details show just how naive at Net security Vtech truly was.
Storing passwords as plain text is all too cokmmon evn now, and not confined to children’s products. There is a manufacturer of internet modems & routers which does the same thing with the admin passwords for at least some of its ADSL2 modem routers meant for home use!
As for the impact of this particular hack, VTech itself now admits:
https://www.vtech.com/en/press_release/2015/faq-about-data-breach-on-vtech-learning-lodge/
Given the growing trend towards connecting everything to the Net the VTech and their problem probably merely represents the small tip of a large (and growing) iceberg.
Yes, blame the hacker, but blame the company more!
There is only one way to make a greedy person/company spend money on reasonable protection… hit their wallet.
It is ridiculous to watch these big companies basically leaving the door open and getting away with blaming the hacker every time.
I know they will lose customers and future profit, but the amount pales compared to what they have made from those products in the past so in the end, it is a payday and a financial reason not to do it.
The favorite excuse is that “it’s business, what did you expect?” Well I do expect businesses to act like adults and act responsible with the valuables that people entrust to them. For far too long we have accepted atrocities in the name of money and business.
Maybe we need to treat them like children if then insist of acting like it. With that I mean to send someone to do some serious forced security audits from an external source and make them pay when they don’t live up to reasonable standards. They obviously aren’t grown enough to police themselves.
There needs to be a trial when data shows up on the internet, but both for the hacker and the company. If the company is found, by a security expert, to not live up to security that fits their exposure, the kind of data leaked the size of the company and other factors. Lastly they need to really feel the punishment so they can come to no other conclusion that better security practices are the only profitable way to go.
It’s easy to blame the company for its lack of security, but the ultimate responsibility lies on the consumer, who did not use any common sense while purchasing and using the product.
Companies don’t care about security for one reason: they’re not held accountable for any breach of information. While it’s true they must offer credit protection, the consumer is still required to take the offer. Otherwise, the company walks and the consumer deals with the fallout.
Re: Re:
I disagree on this.
The ultimate responsibility lies on the company because, well, it is their responsibility to do so.
That’s like saying that the responsibility of someone dying in the operation room is the patient’s (in cases where there was a fuck up from the doctors’ side, I mean), because they chose to go to that doctor instead of to another that wouldn’t be so negligent.
You are not supposed to know the specifics of any service you pay because it isn’t your job to do so. That’s why you hire them. If they are required by law to meet some standards, then they got to follow them. And if they aren’t, then it’s time to change the laws so that they are supposed to work the way we want, and not the way they want.
The only responsibility of a customer is to pay for the service provided and to use it responsibly, taking into account the limits any normal person has.
Any problem related to the product or that is too complex for your normal customer to tackle, that’s the provider’s responsibility and not yours.
Because that’s what means being a professional. You take responsibility for your work, not your customer. You’re the expert, not him.
Re: Re: Re:
While I mostly agree, shouldn’t parents have been hesitant to provide their children’s birthdates and home addresses? (A home address is understandable if Vtech were going to mail a product but it doesn’t seem that was happening.) It’s odd that we didn’t hear about this data collection till now. Somebody should have been alarmed they were even requesting it, and went to the media if Vtech didn’t respond by making it optional or offering a product refund.
Re: Re:
I too must disagree. Vtech are a Hong Kong based company. Their collection of personal data falls under the jurisdiction of Hong Kong’s Personal Data Ordinance. VTech are meant to:
1. Ensure the collection of personal data is lawful, fair and not excessive. VTech must identify to a data subject the information it is collecting about them.
2. Ensure that all practicable steps have been taken to protect personal data against unauthorized or accidental access.
Unless VTech really did make an effort in the security department, they are royally screwed.
Catalog Coming Soon
Coming soon to a dark net near you…
From Vtech, we have acquired a large atabase of the following information:
“… names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 kids.”
These data allow us to provide a catalog, shopping app with entries of the form:
gender (sortable)
age (sortable)
picture (some)
home address
name
parents’ names
The catalog app offers a distance filter that allows the user to a personal geolocation and maximum radius to identify potentionally local items.
Re: Catalog Coming Soon
This is ominous, frightening, and deadly accurate. Every one of those children is now at serious risk, and will REMAIN at serious risk for years to come.
Vtech should not just be sued, it should be prosecuted.
IoT done wrong
Which is why everyone should avoid IoT things like the plague. The sad thing is that IoT could be done in a way that eliminates this problem simply by having the devices talk to a server placed in the home instead of in the cloud. But that would eliminate the entire entire reason companies are so excited about IoT: the expanded spying opportunities.
Everyone's been kinda slow on the uptake here
Since I saw this news come out last weekend, one specific claim has had my BS detector going off-scale: that the leak involved the information of over 4 million parents, but only about 200,000 children.
Think about that ratio for a minute. (Go on, I’ll wait.)
How is it that nobody seems to have questioned this completely upside-down ratio? If over 4 million parents apparently bought and registered vtech’s surveillance toys,
how is it that 3.8 million of these rocket scientists managed not to give the toys to their children? (I’m having trouble accepting the notion that these parents failed to “personalize” their unfortunate children’s “experience” by passing along all the info vtech seems to have been fishing for.)
And now I see that my suspicion was well founded: vtech now admits that the number of affected toddlers is actually over 6 million, not the 200,000 they first claimed. (El Reg has a fresh article on this.)
I’m a bit disappointed in the apparent lack of attention demonstrated by these vtech articles. You guys can surely do better.
Re: Everyone's been kinda slow on the uptake here
The vast discrepancy in numbers of parents VS children was indeed bothersome, but I had assumed it was because most of the parents had simply and correctly decided against inputting their child’s information, as it was obviously unnecessary and dangerous.
Silly me.
—
Re: Re: Everyone's been kinda slow on the uptake here
Or 3.8 million people registered other products made by Vtech
Re: Everyone's been kinda slow on the uptake here
Personally, I noticed the discrepancy but thought it was of little importance. It just strongly indicates that VTech is lying about the number of kids involved, but that was already a well-established fact.
Is to track fatality
The Bank of blood and gene is increasingly strong and safe closed ..
Help me this despair, which could infect strategy send the investors, entrepreneurs, filmmakers, and other sites to bring the significance of this proposal to Brazil’s production anonymously, hoping to be denied the significance of this proposal is to track fatality.
I ask an opportunity to Cinema, the proposed production of the film “Bohr”, Atomic particle.
“Bohr” the atomic particle.
Proposal for innovative script
Movie “The Higgs particle” where the scenario starts a simple laboratory in Brazil specifically in the Amazon regions, with a young (I acting Children’s theater) suffering from childhood polio and loss of immune gene disease.
Young man who blew energetically disintegrating in the laboratory in Brazil and reappearing in the laboratory of LHC in Switzerland, such experiment similar to super. Hero Dr. Manhattan, only energy superhero color eletronspectra light all white. “Film to portray man’s physical phenomenon that turns atom, rewind the birth of the universe, where humans eventually return to the core element of which arose” The BIG BAM “.
Scenarios: Planet Earth where the vieja cumbre Volcano and other volcanoes on the planet explodes soon after contamination energy radiation releasing fungi, bacteria and viruses animated monsters (The LHC experiment) where you light guide these monsters to the planet Mars, and a wave of struggles and funny burnt …
Earth: Still on Mars man comet gets telepathically tsunami wave image that reach reef status in Alagoas (Northeast) and Brazil, due to the explosion of the volcano, returning to earth and a bright sun contains enraged …
Soundtrack:
Girlfriend Bohr: girlfriend middle eastern nationality Medica
At the hospital: When returning from tsunami help a child with two heads Indian heal herself with the senses.
Universe, Lord receives light from the planet Aldebaran subconscious suffering from a cata confirmation, conflicts of tribes of giants God of War (the game character play), which transfers them to another planet dimension.
Planets: Three planets are visited by enlightened, with similar cities to the cities of star war and Lord of the Rings who have experienced space gravitation if our way lacta is reached.
I will be happy if they advertising correction of this proposal responding.
“Movie Proposal, the light of God’s creation and the birth of the human universe (Particle Bohr), lord of dreams,” The Shining “”.
Other proposals that could make criticisms and comments of these advertisements:
Game festival for children / Launch Game Man Atom
Campaign aims Presidency of Brazil
Movie Michelangelo, the painter.
The fall of the Roman Empire
jazz band season gospel
ALEX FERREIRA
Teatro Infantil / Law / Entrepreneur and business chief.
Maranhão / 35 years / Unimed Health cards
. Pass, War steps, n 52 – Guama / Bethlehem, Pa.
Cep 66073-240
Tel (91) 3253-8717 / 98993-3627
BLOG – http://alex-ferreira-guedes.webnode.com/
FACEBOOK – Alex Ferreira
EMAIL – ferreira197979@r7.com
Site of my company:
Neves Carrier Ltd. Surveillance Services
http://editor.wix.com/html/editor/web/renderer/edit/1d4f05a1-7abc-4ec7-83fc-d70329256617?metaSiteId=57dc9614-4562-4e97-9dc2-1c0f66069c18&editorSessionId=43E5A84D-326B-4070-AE68-C7BE93C04598The