On Black Friday, we learned that someone hacked into the servers of VTech, a Chinese toy-maker. He or she obtained the personal information of nearly 5 million parents and more than 200,000 children. This included home addresses, names, birth dates, e-mail addresses, and passwords. Even more, it had photographs and chat logs between the parents and kids.

Furthermore, Bluebox security discovered vulnerabilities in Mattel’s Hello Barbie, the Internet-connected version of the doll. This raises questions. How many of these toy-making companies have secure databases? How many children will be affected from lax security?

The Internet of Things- devices that are connected to each other and the internet- has no real regulations. This is just toys; it includes appliances, cars, and unconnected digital and semi-analog devices. Companies don’t feel obliged to invest time, money, and effort into keeping securing their devices. There aren’t any international guidelines. On top of that, these companies are not required to tell consumers what information they are gathering and how they will protect it. Fiat Chrysler Automobiles had known about their security vulnerabilities with their touchscreen and Uconnect systems yet they didn’t bother fixing the issue until  Wired Magazine and The Post published articles showing how vehicles can be hijacked while the driver was at the wheel. In other words, hacking can be a life-threatening issue.

Children are especially vulnerable to cyber attacks. It is also an emotionally charged attack because parents feel responsible for their kids. Just last year, Fox 19 reported a man hacked into a baby monitor in a home in Cincinnati, Ohio and started screaming “Wake up baby!” at a 10 month old child. The parents were horrified.

VTech did quickly admit that their security was not up to par. However, they had no real incentive to worry about security. VTech earns about 2 billion dollars in revenue and their Internet-connected toys are among the fastest area of its growth. According to Vivek Wadhwa, fellow at Rock Center for Corporate Governance at Stanford University, a potential solution to prevent breaches from happening is to raise penalties for lax security. Him and his colleagues also researched how they can mandate businesses to create systems that allow the consumer to control their own data. One proposal was that they create a system that allows people to manage their data by connecting their devices to a “personal dashboard”. Similar projects have been implemented such as OpenSensors and Wolfram Connected Devices Project.

Wadhwa concludes that “it is important to set standards now and ensure a safe cyber world for our children and ourselves.”

UPDATE: Police arrested a 21-year-old man on Tuesday as part of the investigation on the hack against Hong Kong-based toy-maker VTech. VTech previously said it is “cooperating with law enforcement worldwide” and that Mandiant is reviewing how the company handles customer information so it can “further strengthen” the security of that data. (Read the full article here)

Article via Washington Post, December 11, 2015

Photo: Vtech Video Painter circuit bent by ASMO via asmo23 [Creative Commons Attribution-NonCommercial-NoDerivs]