US states probe VTech hack, experts warn of more attacks

1 Dec 2015 | Author: | No comments yet »

‘Massively negligent’: children’s photos, audio recordings released after toymaker VTech breach.

VTech, a Hong Kong-based company that sells baby monitors and digital learning toys such as children’s tablets, announced over the weekend that the data for 5 million “customer accounts and related kids profiles worldwide” were compromised as part of a cyberattack.

A hacker who gained access to the servers of Hong Kong electronic toymaker VTech obtained more than just the email addresses, passwords, and home addresses of nearly 5 million adults — he or she also found tens of thousands of photos of children. “Frankly, it makes me sick I was able to get all this stuff,” the hacker, who asked to remain anonymous, told Motherboard’s Lorenzo Franceschi-Bicchierai. “VTech should have the book thrown at them.” The hacker said some of the data came from VTech’s Kid Connect service, which lets parents using an app on their smart phones chat with their kids on a VTech tablet.Toy maker VTech on Friday admitted that 5 million of its customer accounts — including at least 200,000 accounts related to children — had been breached.A breach of almost five million parents and 200,000 kids’ online accounts with digital toy maker VTech — which affects some 18,000 Australian parents and children — just got much worse.

The stolen data included names and birthdates of children, mailing addresses, email addresses, as well as what e-books, learning games and other software were downloaded to toys, the company said in a statement posted online. The hacker has released to a news organisation select photos, audio recordings and text chats, created by the kids using high-tech internet-connected toys, that were meant only for the children and their parents. It comes as US states said they would investigate the massive breach at the toy maker and as security experts warned that hackers were likely to target similar companies that handle customer data. Parents communicated with their sons and daughters via Kid Connect, a chat service app on which identifying information – like the first name, birthday, and gender of more than 200,000 youngsters – was stored along with photos and further details regarding the account and household. The Hong Kong-based toy maker disclosed the attack on Saturday, saying information about nearly five million adults and children had been stolen in an attack on a portal used to download games to its computer tablets.

In addition to customer information, information from Kid Connect — a service VTech setup to allow parents and their kids to communicate — was also breached. But the VTech breach shows this data isn’t always being guarded well. “Toy companies are rushing to cash in on the changing nature of childhood in the ‘big data’ era, where Internet-connected toys are linking children to a vast surveillance network,” said Jeffrey Chester, the executive director of the Center for Digital Democracy. “These playthings can monitor their every move, turning what should be innocent and pleasurable experience into something potentially more sinister.” VTech sells popular toys mainly for young toddlers, including its Sit-to-Stand Learning Walker, Baby’s Learning Laptop, and Kidizoom Smartwatch DX.

According to Have I Been Pwned, a free web service showing which email addresses have been exposed in a hack, the VTech episode is the fourth largest consumer data breach in history. “That’s very negligent,” Troy Hunt, creator of Have I Been Pwned, told Motherboard. “They’ve obviously done a really bad job at storing passwords.” The VTech hack is larger than the January 2014 hacking of Snapchat, but is dwarfed by an October 2013 breach of Adobe, which affected 153 million usernames, email addresses and encrypted passwords. Earlier this year, a hack revealed 30 million Ashley Madison users’ email addresses, serving as a lesson to adults who need strong protection to conceal their behavior. The company took down the Learning Lodge website, and as of Monday, had left a message: “Due to a breach of security on our Learning Lodge website, we have temporarily suspended the site.” VTech is hardly the only company going high-tech. And now that we know that it wasn’t just user information — but photos and chat logs — it’s going to be hard for VTech to continue to try to pretend that everything is all right. This holiday season, Fisher-Price has been hawking its Smart Toy Monkey as an “interactive learning buddy” that “talks, listens and remembers what your child says.” The new Hello Barbie, a doll that uses artificial intelligence to learn about children and carry on real-time conversations, was released earlier this month — raising alarm bells for some consumer protection watchdogs.

As adults, the number of hacks that leave personal information — collected by credit agencies, banks, “dating websites” and even the federal government — up for grabs is an all-too common occurrence. Australian computer security researcher Troy Hunt, who collaborated on the reporting of the hack with Motherboard, told Fairfax Media that VTech made “so many stupid mistakes” in securing their customers’ information and were “massively negligent”.

Mattel and ToyTalk, the company behind the doll’s voice features, have gone to great lengths to assure customers that information the doll collects will be safeguarded. To stop such breaches in the future, Mr Hunt said that there had to be punishment for companies that didn’t secure information correctly, but few countries currently have laws to facilitate this.

A SQL injection flaw, one of the most common types of problems with websites, can allow a hacker to enter commands into a Web-based form and get the back-end database to respond. Such disclosure laws were meant to be introduced into the federal parliament by the end of this year, but there are only a few parliamentary sitting days left and it seems unlikely they will get through. He verified the leaked data by contacting some people who had registered for his service, which notifies people if their email addresses turns up in a new data breach. Meanwhile, some experts said that they expected to see more breaches involving information collected through digital toys and other web-connected devices, a category of products known in tech circles as the internet of things, or IoT.

In a lengthy blog post on Saturday, Hunt’s investigation of VTech’s Learning Lodge and associated online services turned up numerous egregious security issues. If the agency were to investigate VTech, that investigation may be complicated by the international nature of the breach: The company is based in Hong Kong and it affected consumers from across the globe. VTech’s account registration services do not use SSL/TLS (Secure Sockets Layer/Transport Layer Security), which encrypts data sent between a user’s computer and a service, Hunt wrote. Attorneys general in Connecticut and Illinois also said on Monday they would probe the breach, though their representatives declined comment on the focus of their inquiries.

But as Security Evangelist Jessy Irwin notes, that doesn’t make the information worthless. “Every industry is having issues with security, but when you’re dealing with education, kids and minors the privacy and security processes need to be thoughtful and reflective.” She added that, “While kids’ data may not have a high monetary value, we have seen tons of criminal groups go on land grabs for their blank identities and use it for their own gain.” In the wake of the AshleyMadison hack, I discussed the ongoing battle of accountability when these sorts of hacks happen. Unfortunately, she thinks it will take more security breaches to make the news before anything changes. “People are too used to a new breach every week,” she said.

Larry Salibra, chief executive of bug-testing platform provider Pay4Bugs, said that it looks like VTech failed to properly secure sensitive data by encrypting it to be difficult to unscramble and useless if stolen. The flaws, he said, have been reported to VTech. “The flaws are fundamental, and the recommendation I’ve passed on is to take it offline ASAP until they can fix it properly,” Hunt wrote. “You just can’t take chances with other people’s data in this way, especially not when they’re kids.” Chris Eng, vice president of security research at Veracode, said some consumer technology companies don’t view security as a primary part of their core business, and “they’re paying the price for it.” “VTech is a toy company,” Eng said. “Toy manufacturers don’t have the rigor around secure development that’s needed in today’s environment and are inevitably going to fall short on security.”

You can rest an iPad mini on the hinges of a full-sized BrydgeAir, to use the keyboard as a stand, but the mini isn’t wide enough to fully slot into the hinges. Once your iPad is slotted into the BrydgeAir’s hinge, you can fold the tablet down flat like a notebook screen to put the iPad to sleep – there are rubber corners on the keyboard to stop the screen pressing against the keys. The advantage of the BrydgeAir over an iPad keyboard cover – including the iPad Pro’s $269 Smart Keyboard – is that you can adjust the hinge to the perfect angle when sitting at a desk. The sturdy aluminium design gives the keyboard enough weight to balance out the iPad, so it can also balance on your lap better than most iPad keyboard cases and competing hybrid devices.

The BrydgeAir keyboard makes the most of the available space but it can’t escape the fact that the keyboard size is restricted by the size of your iPad. It’s a little cramped for my liking and I wouldn’t want to use it all day, every day, but it’s still much more comfortable to type on for extended periods than most keyboards of this size that I’ve tested. Typing this review on the BrydgeAir, I didn’t find myself desperate to switch back to my 15-inch MacBook Pro for its larger keyboard – which is more than I can say for a lot of portable keyboards (whether you’re happy with iOS rather than a desktop-style operating system is a different story).

The keyboard charges via microUSB, with the battery supposedly good for three months, although using the backlight and built-in speakers would take its toll. It’s not cheap at $199, but the BrydgeAir could still be a worthwhile investment if it means you don’t need to buy an iPad Pro or 11-inch MacBook Air in an effort to remain productive on the road.

Here you can write a commentary on the recording "US states probe VTech hack, experts warn of more attacks".

* Required fields
All the reviews are moderated.
Our partners
Follow us
Contact us
Our contacts

ICQ: 423360519

About this site