The Internet of Dangerous Toys?

Breach Response , Data Breach , Data Loss

The Internet of Dangerous Toys? VTech Breach Launches Our Season of Digital Dystopia The Internet of Dangerous Toys?

Bad news, kids: Santa just called, and Christmas is canceled until he can work out a few fatal information security flaws in the North Pole portal and associated e-learning toys that are leaking millions of children's and adults' personally identifiable information, including their names, where they live and contact details.

Of course Christmas isn't going to be canceled this year, except perhaps for executives at breached Hong Kong-based consumer electronics manufacturer VTech. The company describes itself as "the global no. 1 player for electronic learning products," but its alleged attacker claims to have hacked the business using an easy-to-prevent SQL injection flaw (see Why VTech Breach is So Bad - and So Avoidable).

"If only we could systematically reach manufacturers before they decide to make something smart, and tell them how to do threat modeling and security by design." 

Unfortunately, electronic learning products can be bad for your children's privacy. Indeed, the company has acknowledged that its breach exposing profiles for 6.4 million children and 4.9 million adults occurred because its app store, online virtual world for kids and parent-child chat apps "were not as secure as they should have been."

After #VTechHack, will you buy your child an Internet-connected toy for the holidays? https://t.co/wFx35jE5ng

'Tis the Season of Digital Dystopia

All of this is a depressingly familiar script for anyone who's been watching the Internet of Things and the lack of security practiced by the manufacturers churning out so many of these inexpensive, Internet-connected light bulbs, thermostats, door locks and teddy bears. And the penalty for anyone who fails on the security front is simple: apologize, patch and keep selling, no matter what type of private information you may have imperiled.

As one ISMG reader quips: "Free credit monitoring will be provided to all children affected, for one year, free of charge of course. No worries."

No doubt we'll see a lot of related theatrics in the aftermath of the VTech breach news. Expect to see one or more U.S. Congressional hearings featuring a digitally illiterate lawmaker holding up a VTech Cora the Smart Cub in front of privacy experts and representatives from the consumer electronics lobby and screaming, "How dare you cyber endanger our children!"

While there will be a lot of talk, if history is any guide, we'll see scant action on the part of either legislators or manufacturers. That's in spite of the fact that if VTech had approached a reputable Web application security expert, it likely could have prevented these security shortcomings with minimal time, effort or impact to the pre-holiday production schedule.

"If only we could systematically reach manufacturers before they decide to make something smart, and tell them how to do threat modeling and security by design," says Luxembourg-based information security consultant Claus Cramon Houmann at ImproveIT Consulting. He's a member of I Am the Cavalry, which is one of several groups that information security experts have launched to warn businesses about how to avoid bringing insecure products to market.

Some other electronic learning product toymakers claim that, unlike VTech, they have data security measures in place to ensure that their devices are "safe and secure" to use. But obviously, not all organizations have gotten that message.

My Holiday Wish

If I have one wish for next year, it's that more firms will at least pay attention to Web application threats. Another recent apparent SQL injection flaw sufferer was U.K. telecom giant TalkTalk, which was allegedly hacked - and then blackmailed - by a group mostly composed of teenagers.

But the SQL injection attacks that allegedly struck both businesses aren't advanced, persistent or even misunderstood. Indeed, Australian data security expert Troy Hunt has demonstrated that these vulnerabilities can even be - nearly - exploited by his 3-year-old child using a free version of the "point and shoot" penetration-testing tool Havij.

Memo to VTech: Maybe it's time to buy any security engineers on your team a copy of Havij and give them time to use it. Because falling victim to easily preventable SQL injection attacks is "absolutely unforgiveable," says Rik Ferguson, vice president of security research at security firm Trend Micro, speaking at the recent Irish Cyber Crime Conference in Dublin.

Finally, given the apparent security shortcomings inherent to so many Internet-connected products - including toys - the best advice for parents might be to avoid them altogether, and not just on security grounds. For example, Sean Sullivan, a security adviser at Helsinki-based security firm F-Secure, says he's purposefully avoided giving his young son any Internet-connected "smart" toys, and will continue to do so.

"My son's toys are imagination-connected," he says.