Identity theft risk for 6m children
The breach underscores how digital products aimed at children often have far weaker security than other computer products, and may pose a threat to a booming industry. Shipments of toys that connect to the internet will rise 200% over the next five years, according to estimates by UK-based Juniper Research.
It is not clear what the motive was for the VTech breach or whether it has resulted in any identity theft so far. Still, it is a warning for people who don’t understand how much data and sensitive information is in a child’s toy.
“The last thing you would ever imagine is that a toy manufacturer would lose your child’s identity,” said Liam O’Murchu, from Kildare and a researcher for Symantec who is known for his work dissecting complex malware produced by nation states. “
This shows that it’s harder and harder to do things safely online.”
In VTech’s case, buyers of the company’s cameras, watches, and tablets are encouraged to provide names, addresses, and birth dates when signing up for accounts where they can download updates, games, books, and other content.
VTech said the hackers compromised its Learning Lodge app store, which provides content for children’s tablets, and its Kid Connect mobile app service that lets parents communicate with those tablets.
Toys that gather data on the user, like VTech’s line of cameras, watches, and tablets and their associated websites, will grow by 58% annually, according to Juniper.
That category includes dolls like Mattel’s recently introduced Hello Barbie, which connects to home wireless networks and communicates with servers to enable conversations by uploading audio and getting responses from the cloud.
Mobile security firm Bluebox and independent security researcher Andrew Hay disclosed that it had jointly uncovered multiple vulnerabilities in iOS and Android apps that work with the device, as well as its cloud servers operated by technology partner ToyTalk.
Among their findings, they claim the app could be hacked to reveal passwords, could be tricked into connecting to hostile networks controlled by hackers, and that the servers were vulnerable to some types of attacks.
Mattel spokesman Michelle Chidoni said the toymaker and Hello Barbie technology partner ToyTalk have taken steps to ensure the products meets security and safety standards.
ToyTalk said it had already fixed many of the issues raised.
It’s too soon to say if the breach will hurt sales. VTech’s stock has fallen 2.6% in the past week as it hired forensic experts, responded to government investigations on three continents, and temporarily shut down more than a dozen websites, including a messaging service and children’s app store.
CONNECT WITH US TODAY
Be the first to know the latest news and updates
