Analysis: Spanning identity theft to grooming, the Internet of Toys poses a viable threat and highlights wider industry concerns.
Christmas is just around the corner, with parents checking Father Christmas wish lists and spending a small fortune on the latest must have toys.
However, this week toys and toymakers have hit the headlines, highlighting the potential dangers of connected toys and the data which toymakers collect and store.
Children’s toymaker VTech fell victim to a major data breach, with the personal data of nearly 5 million adults, and over 200,000 children, exposed when its app store database was attacked with SQL injection.
Although VTech said that no payment information was taken, the implications of the personal data being breached has huge ramifications surrounding privacy.
With names, addresses and ages being potentially breached, the dangers of identity theft, with the child the victim, is just the first viable concern.
Javvad Malik, security advocate at AlienVault, said: "Compared to adult identity theft, the danger with a child’s identity being stolen is that they may not be aware of it until they are old enough to apply for a bank account, credit card, driving license, mortgage or job.
"So technically, someone could steal a child’s identity and use that information till the child is 18 years old – by which time their credit rating or other personal records may be damaged beyond repair."
We are, however, assuming that the VTech hack was specifically aimed at gathering children’s information – an unlikely assumption considering that one of the main goals of a cyber attack is the stealing of data, any data.
"The bad guys are going after anything that’s not nailed down and it’s highly unlikely they even knew they would get the details of kids," says Jonathan Sander, VP of Product Strategy at Lieberman Software.
"Whenever the bad guys score a heap of data like this, that doesn’t immediately pay off like a bunch of credit card numbers, it’s going to be turned around to try and crack other sites."
This then highlights the industry concern of password fatigue and replication, with Sander asking:
"Did you use the same username and password for your VTech account at your online bank? For your credit card?
"Now the bad guys know some of your secret question answers – did you reuse those on other sites so they can simply reset your password to something they know? These are the things that really ought to scare people."
However, when it comes to technology and children, there is one fear above all others that is at the forefront of every parents mind – grooming.
Mark James, Security Specialist at ESET, said: "What’s terrifying here is the fact that children’s information has been stolen which could enable a third party to build a trust relationship that may enable them to converse or even befriend these unsuspecting those impacted by the breach."
This conversation around privacy, in particular children’s privacy, gains momentum and generates a new perspective when looking at the actual toys themselves. When looking at today’s shelves in any leading toy shop, it is smart, connected devices, not traditional toys, vying for your attention.
This is highlighted with news this week that Mattel’s ‘Hello Barbie’ doll has hits stores, equipped with a computer chip, microphone, speaker and Wi-Fi functionality. Of greater concern is the fact that the doll asks a question and records the child’s answer, relaying that information to Mattel’s technology partner ToyTalk.
With the VTech hack sitting in the background, proving a stark reminder of what could happen when children’s data is put in the hacker’s crosshairs, David Emm, principal security researcher at Kaspersky Lab, said:
"Concerns about the doll centre mainly around privacy – the fact that secrets entrusted to the doll by a child are shared with Mattel and its partners.
"Recently, security researcher Matt Jakubowski was able to extract Wi-Fi network name, internal MAC address, account IDs and MP3 files from the Hello Barbie doll [link]. This is enough to gain access to the Hello Barbie account and a home network – thereby compromising the wider security of any family of a child using the doll.
The pertinent question levelled at VTech is why, as a multi-national corporation, was there not sufficient defences and infrastructure to protect against cyber attacks? The question aimed at Mattel is similar, why was the device available to stores with flaws and security vulnerabilities?
Tod Beardsley, Security Engineering Manager at Rapid7, argues that these oversights from toymakers highlight a major, wider, issue facing the industry today.
"With the Internet of Things: companies of all sorts are rapidly morphing into information technology companies, but without the hard-won security learnings that traditional infotech companies now enjoy. It’s tough to be both a toy manufacturer and a mature technology company with a robust security program."
Unfortunately it is not just toymakers who have not earned their cyber security stripes yet, but all companies embarking on new technology – infrastructure or products. This demands a shift in strategy, incorporating security into product design, and bringing cyber security to the board room.
Louise Bulman, VP EMEA at Vormetric said: "As cyber attacks have become an inevitable reality, and there is no shortage of examples of the damage that lax security can do, the VTech breach highlights yet again that organisations should be focussing on making sure sensitive data remains protected when (not if) it falls into the wrong hands"
While businesses must shift to focus on data, privacy and overall cyber security demands, parents shouldn’t entirely dismiss connected toys, but as with anything cyber security-related, awareness and education are key.
Kaspersky’s David Emm said: "We live in a connected world, where even our children’s toys could become the means for personal data being captured by attackers.
"It’s really important that, when considering such toys this Christmas, parents look beyond the fun aspect of a toy and consider the impact it might have on their child and the wider family."