Toy Maker Vtech Hacked, Revealing Kids' Selfies, Chat Logs, & Even Voice Recordings
from the because-we-can dept
As companies race to embrace the inanely-named "internet of things" (IOT), security and privacy are usually a very distant afterthought. That's been made painfully apparent by "smart" refrigerators that expose your Gmail credentials, "smart" TVs that transmit your living room conversations unencrypted, or "smart" tea kettles that compromise your Wi-Fi network security. In all these examples the story remains the same: everybody's so excited to connect everything and anything to the internet, few companies can be bothered to do so intelligently and correctly.And with the mad rush to bring this kind of aggressive myopia to toys, the lack of security is now impacting kids as well. Late last week a hacker revealed that he (or she) had hacked into the servers of Hong-Kong-based toy company Vtech, exposing the data collected by the company's "Kid Connect" service (which lets parents use smartphones to talk to kids using toy tablets and other devices). Once inside, the hacker obtained the names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 kids.
What's more, the hack revealed that Vtech was storing kid selfies, voice recordings, and even entire chat logs between parents and their kids. In short, Vtech was gathering and saving pretty much anything these devices could get their hands on. VTech didn't respond to questions regarding why it needed to store all this data. And that's likely because, like most IOT gear makers, it didn't much think about it. It was so enamored with the gee whizery of gobbling up all manner of user data for later use, it couldn't much be bothered to ensure fundamental security best practices.
As Mark Nunnikhoven at Trend Micro remarked shortly after the hack was revealed, the lure of IOT has many companies collecting far more data than they could ever even conceivably need -- just because they can:
"This opens the organizations up to unnecessary risk. If the words "might", "possible", or "potential" are used in an argument supporting the collection of data, you're about to violate the principle of least data. You should only collect and store data for well understood use. Data should be evaluated for it's overall value to the organization and—just as importantly—the risk it can pose to the organization. Unless the cost to acquire the data in the future is so ridiculously high that it's infeasible, you should always opt to collect and store the data when you have a concrete use for it."That's common sense, but the excitement surrounding IOT has made it clear that common sense doesn't enter into it. At least not in the design and implementation phase. Only once they're caught not giving a damn about security or privacy are these over-enthusiastic companies suddenly model citizens. Vtech is of course no exception, since issuing a press release stating it has shuttered many of the websites hoovering up this data. The company also reiterates how it's "committed to protecting our customer information and privacy":
"We are committed to protecting our customer information and their privacy, to ensure against any such incidents in the future. Our Privacy Statement can be found on our website here. The investigation continues as we look at additional ways to strengthen the security of all on-line services provided by VTech. We will provide further updates as appropriate in the future."But if companies were so breathlessly committed to privacy, they wouldn't rush products to market and leave fundamental security standards as a distant afterthought in the first place. And with everything from your smart toaster to your kids' Barbie doll now gobbling up an ocean of household data, it's going to be an increasingly ugly lesson to learn.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: hack, internet of things, kids, logs, privacy, toys
Companies: vtech
Reader Comments
The First Word
“Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
[ link to this | view in chronology ]
The $1000 seems small compared to the potential damage done to each person, but the resulting $4.8 billion fine wouldn't be out of place, no? It'd certainly start getting some attention...
[ link to this | view in chronology ]
Vtech needs to be sued out of business quickly
This is a pedophile's or identity thief's dream: it's enough to convince children "mom sent me to pick you up, hey look, I even know your birthday" or enough to start setting up identity theft that happens years down the road.
Unless Vtech is absolutely hammered for this, other companies will do the same. And in doing so, they're going to expose an entire generation of children to massive risk for no reason other than their own hubris.
[ link to this | view in chronology ]
Re: Vtech needs to be sued out of business quickly
People could simply stop buying Vtech products.
[ link to this | view in chronology ]
Re: Re: Vtech needs to be sued out of business quickly
the sheeple could do ALL sorts of stuff if they acted in concert...
prolly not gonna happen until the bread and circuses run out...
then it will be too late...
besides -no slur upon techdirtia- but how many parents are tuned in to this website on the off chance some tech-related story has this impact on their special snowflakes ? ? ?
otherwise, it gets a 10 second mention on the mainstream news, then down the memory hole it is flushed ! ! !
[ link to this | view in chronology ]
Re: Re: Re: Vtech needs to be sued out of business quickly
[ link to this | view in chronology ]
Re: Re: Vtech needs to be sued out of business quickly
Yes they could, but unless Vtech is punished hard for this, what's going to motivate the next company to install more safeguards and not collect so much data? Absolutely nothing.
[ link to this | view in chronology ]
Re: Vtech needs to be sued out of business quickly
You mean wet dream, right? Because all around, I do believe that's more accurate. Not to be disgusting.
[ link to this | view in chronology ]
Re: Vtech needs to be sued out of business quickly
[ link to this | view in chronology ]
Re: Vtech needs to be sued out of business quickly
[ link to this | view in chronology ]
Just like "No Capes!" ..
[ link to this | view in chronology ]
Buy dumb appliances
Home equipment like lawn gear now has software in it we can't do anything with. Now toys. Of course we can't inspect the software because manufacturers don't want us to know what it is doing. Case in point, VW sure didn't want any one poking around to discover its trade secret. Right!
I see a new market for dumb appliances as they become harder and harder to find.
[ link to this | view in chronology ]
Re: Buy dumb appliances
I think that may be problematic.
[ link to this | view in chronology ]
Re: Buy dumb appliances
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Are they investigating the implementers too, I hope?
Additional to the current absolute lack of security, as apparently there was none. How can people write shit like this with a straight face? Have we managed to completely de-select away that gene that once allowed us to admit, "We fucked up, sorry. We'll do our best to fix this, and put in the necessary effort to ensure nothing like it ever happens again. We feel really stupid right now, and the idiot whose job it was to handle this is being flogged to death as we write."
[ link to this | view in chronology ]
CYOA
[ link to this | view in chronology ]
That right there should be considered a priori evidence of criminal negligence on the part of VTech. It's basically Websites 101 that if you store passwords in such a way that it's possible for a hacker to read them, you're Doing It Wrong.
Some people without experience in such matters may look at this and say, "but wait, if you don't store the password, how do you validate it when you log in?" The answer is, you store a hash of the password, which is a technical transformation that's kind of like encryption, except it can only be performed one-way. (You can decrypt something that's been encrypted if you have the key, but you can't de-hash hashed data.) When the person tries to log in, you hash the password that they sent and if the hash matches, you're confident that the password is correct, since a properly designed cryptographic hash makes it exceptionally unlikely that two different passwords will hash to the same value.
Getting the details of password hashing right can be complicated, but if the hacker got everyone's passwords, that means VTech was almost certainly storing them in plain text (not hashed at all) or using a hash that's known to be broken (the math for some of them has flaws that do make it possible to reverse the hashing process a lot of the time). Doing either one would be considered grossly negligent by any competent programmer.
[ link to this | view in chronology ]
Re:
To me it seems that whoever implemented it, knew that a password should be hashed, but wasn't knowledgeable or experienced enough to know exactly how to do it properly.
[ link to this | view in chronology ]
Re: Re:
Which is almost as bad as not hashing them at all.
[ link to this | view in chronology ]
Think of the children!! It's for the children!!
Now, advocates for privacy and encryption got the proper argument to make so that the government does what they want.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
https://en.wikipedia.org/wiki/Room_641A
[ link to this | view in chronology ]
http://www.troyhunt.com/2015/11/when-children-are-breached-inside.html
and some of these details show just how naive at Net security Vtech truly was.
Storing passwords as plain text is all too cokmmon evn now, and not confined to children's products. There is a manufacturer of internet modems & routers which does the same thing with the admin passwords for at least some of its ADSL2 modem routers meant for home use!
As for the impact of this particular hack, VTech itself now admits:
https://www.vtech.com/en/press_release/2015/faq-about-data-breach-on-vtech-learning-lodge/
Given the growing trend towards connecting everything to the Net the VTech and their problem probably merely represents the small tip of a large (and growing) iceberg.
[ link to this | view in chronology ]
Yes, blame the hacker, but blame the company more!
It is ridiculous to watch these big companies basically leaving the door open and getting away with blaming the hacker every time.
I know they will lose customers and future profit, but the amount pales compared to what they have made from those products in the past so in the end, it is a payday and a financial reason not to do it.
The favorite excuse is that "it's business, what did you expect?" Well I do expect businesses to act like adults and act responsible with the valuables that people entrust to them. For far too long we have accepted atrocities in the name of money and business.
Maybe we need to treat them like children if then insist of acting like it. With that I mean to send someone to do some serious forced security audits from an external source and make them pay when they don't live up to reasonable standards. They obviously aren't grown enough to police themselves.
There needs to be a trial when data shows up on the internet, but both for the hacker and the company. If the company is found, by a security expert, to not live up to security that fits their exposure, the kind of data leaked the size of the company and other factors. Lastly they need to really feel the punishment so they can come to no other conclusion that better security practices are the only profitable way to go.
[ link to this | view in chronology ]
Companies don't care about security for one reason: they're not held accountable for any breach of information. While it's true they must offer credit protection, the consumer is still required to take the offer. Otherwise, the company walks and the consumer deals with the fallout.
[ link to this | view in chronology ]
Re:
The ultimate responsibility lies on the company because, well, it is their responsibility to do so.
That's like saying that the responsibility of someone dying in the operation room is the patient's (in cases where there was a fuck up from the doctors' side, I mean), because they chose to go to that doctor instead of to another that wouldn't be so negligent.
You are not supposed to know the specifics of any service you pay because it isn't your job to do so. That's why you hire them. If they are required by law to meet some standards, then they got to follow them. And if they aren't, then it's time to change the laws so that they are supposed to work the way we want, and not the way they want.
The only responsibility of a customer is to pay for the service provided and to use it responsibly, taking into account the limits any normal person has.
Any problem related to the product or that is too complex for your normal customer to tackle, that's the provider's responsibility and not yours.
Because that's what means being a professional. You take responsibility for your work, not your customer. You're the expert, not him.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
1. Ensure the collection of personal data is lawful, fair and not excessive. VTech must identify to a data subject the information it is collecting about them.
2. Ensure that all practicable steps have been taken to protect personal data against unauthorized or accidental access.
Unless VTech really did make an effort in the security department, they are royally screwed.
[ link to this | view in chronology ]
Catalog Coming Soon
From Vtech, we have acquired a large atabase of the following information:
"... names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 kids."
These data allow us to provide a catalog, shopping app with entries of the form:
gender (sortable)
age (sortable)
picture (some)
home address
name
parents' names
The catalog app offers a distance filter that allows the user to a personal geolocation and maximum radius to identify potentionally local items.
[ link to this | view in chronology ]
Re: Catalog Coming Soon
Vtech should not just be sued, it should be prosecuted.
[ link to this | view in chronology ]
IoT done wrong
Which is why everyone should avoid IoT things like the plague. The sad thing is that IoT could be done in a way that eliminates this problem simply by having the devices talk to a server placed in the home instead of in the cloud. But that would eliminate the entire entire reason companies are so excited about IoT: the expanded spying opportunities.
[ link to this | view in chronology ]
Everyone's been kinda slow on the uptake here
Think about that ratio for a minute. (Go on, I'll wait.)
How is it that nobody seems to have questioned this completely upside-down ratio? If over 4 million parents apparently bought and registered vtech's surveillance toys,
how is it that 3.8 million of these rocket scientists managed not to give the toys to their children? (I'm having trouble accepting the notion that these parents failed to "personalize" their unfortunate children's "experience" by passing along all the info vtech seems to have been fishing for.)
And now I see that my suspicion was well founded: vtech now admits that the number of affected toddlers is actually over 6 million, not the 200,000 they first claimed. (El Reg has a fresh article on this.)
I'm a bit disappointed in the apparent lack of attention demonstrated by these vtech articles. You guys can surely do better.
[ link to this | view in chronology ]
Re: Everyone's been kinda slow on the uptake here
Silly me.
---
[ link to this | view in chronology ]
Re: Re: Everyone's been kinda slow on the uptake here
[ link to this | view in chronology ]
Re: Everyone's been kinda slow on the uptake here
[ link to this | view in chronology ]
Is to track fatality
Help me this despair, which could infect strategy send the investors, entrepreneurs, filmmakers, and other sites to bring the significance of this proposal to Brazil's production anonymously, hoping to be denied the significance of this proposal is to track fatality.
I ask an opportunity to Cinema, the proposed production of the film "Bohr", Atomic particle.
"Bohr" the atomic particle.
Proposal for innovative script
Movie "The Higgs particle" where the scenario starts a simple laboratory in Brazil specifically in the Amazon regions, with a young (I acting Children's theater) suffering from childhood polio and loss of immune gene disease.
Young man who blew energetically disintegrating in the laboratory in Brazil and reappearing in the laboratory of LHC in Switzerland, such experiment similar to super. Hero Dr. Manhattan, only energy superhero color eletronspectra light all white. "Film to portray man's physical phenomenon that turns atom, rewind the birth of the universe, where humans eventually return to the core element of which arose" The BIG BAM ".
Scenarios: Planet Earth where the vieja cumbre Volcano and other volcanoes on the planet explodes soon after contamination energy radiation releasing fungi, bacteria and viruses animated monsters (The LHC experiment) where you light guide these monsters to the planet Mars, and a wave of struggles and funny burnt ...
Earth: Still on Mars man comet gets telepathically tsunami wave image that reach reef status in Alagoas (Northeast) and Brazil, due to the explosion of the volcano, returning to earth and a bright sun contains enraged ...
Soundtrack:
Girlfriend Bohr: girlfriend middle eastern nationality Medica
At the hospital: When returning from tsunami help a child with two heads Indian heal herself with the senses.
Universe, Lord receives light from the planet Aldebaran subconscious suffering from a cata confirmation, conflicts of tribes of giants God of War (the game character play), which transfers them to another planet dimension.
Planets: Three planets are visited by enlightened, with similar cities to the cities of star war and Lord of the Rings who have experienced space gravitation if our way lacta is reached.
I will be happy if they advertising correction of this proposal responding.
"Movie Proposal, the light of God's creation and the birth of the human universe (Particle Bohr), lord of dreams," The Shining "".
Other proposals that could make criticisms and comments of these advertisements:
Game festival for children / Launch Game Man Atom
Campaign aims Presidency of Brazil
Movie Michelangelo, the painter.
The fall of the Roman Empire
jazz band season gospel
ALEX FERREIRA
Teatro Infantil / Law / Entrepreneur and business chief.
Maranhão / 35 years / Unimed Health cards
. Pass, War steps, n 52 - Guama / Bethlehem, Pa.
Cep 66073-240
Tel (91) 3253-8717 / 98993-3627
BLOG - http://alex-ferreira-guedes.webnode.com/
FACEBOOK - Alex Ferreira
EMAIL - ferreira197979@r7.com
Site of my company:
Neves Carrier Ltd. Surveillance Services
http://editor.wix.com/html/editor/web/renderer/edit/1d4f05a1-7abc-4ec7-83fc-d70329256617?met aSiteId=57dc9614-4562-4e97-9dc2-1c0f66069c18&editorSessionId=43E5A84D-326B-4070-AE68-C7BE93C0459 8The
[ link to this | view in chronology ]