The VTech scandal, as reported yesterday by this publication, has taken another sinister turn. Aside from the passwords, secret questions, answers and other pieces of information gold, the attacker took chat logs and photos dating back to late 2014.
The company, which makes electronic toys for kids, sold one particular app called Kid Connect. The pictures and chat histories were apparently taken from those that had downloaded by this particular app, which allowed parents to use their smartphone to talk to kids through their VTech devices.
An image of the full scale of the breach, which happened on 14 November, is still being unveiled. One of those apparently involved in the hack on VTech spoke to Motherboard, saying that VTech left plenty of other sensitive data on its servers.
The cyber-security industry has responded with predictable disapproval. Ross Brewer, vice president and managing director for international markets at LogRhythm, spoke to SCMagazineUK.com. “In an adult world, this would be the equivalent of a hacker accessing and stealing your photos and conversations from Facebook,” he said.
Warming to his subject, he added, “The fact that VTech did not take even the simplest steps and encrypt their server renders me speechless. Big breaches at Sony and TalkTalk have made it clear just how easy – and damaging – it is for hackers to exploit a company's weak point, so it's more important than ever that businesses show they are going above and beyond to protect the data they are entrusted with – particularly when this data relates to young children.”
Gerard Bauer, VP EMEA at Vectra Networks told SC, "There's still been no clarification as to what data has been stolen exactly – which is shocking when images of minors may be involved. With the availability of real–time detection methods today, this prolonged timeframe of almost three weeks after VTech was first infiltrated is unacceptable. “
Bauer added that, "For VTech, the 27th of November was certainly a Black Friday, with the custody of personally identifiable information (PII) – including that of minors, which involves a significant duty of care – appearing to have failed on many levels. As we approach a holiday season where more connected toys and devices will be purchased than ever before, VTech's breach provides a poignant reminder that security is a growing strategic issue for organisations and needs to be architected into their operations from the get-go.”
The vulnerability of children to hacking connected toys has made headlines in the last couple of days. In a separate story, the new model of Barbie, the first of its kind to be interactive, has been shown to be easily hackable. The children's toy, which responds to user commands much like Window's Cortana, is run through an iPhone app that one security researcher says is vulnerable to attack.
Matt Jakubowski, a researcher in Chicago, told NBC that he could easily penetrate the toy and glean all kinds of information from it as well as being able to remotely hijack it and make the doll say whatever he desired. With Christmas just around the corner and retailing at only £50, the ‘Hello Barbie' seems like the perfect gift for the mischievous young hacker.
David Emm, principal security researcher at Kaspersky, said: “Concerns about the doll centre mainly around privacy – the fact that secrets entrusted to the doll by a child are shared with Mattel and its partners. There's also the potential risk that such data might fall into the hands of hackers, if the security of Mattel or its partners are breached.”
Emm added “We live in a connected world, where even our children's toys could become the means for personal data being captured by attackers. It's really important that, when considering such toys this Christmas, parents look beyond the fun aspect of a toy and consider the impact it might have on their child and the wider family.”