Popular toy maker VTech recently managed to get away with illegally collecting data on children without obtaining express consent by agreeing to pay $650,000 as fines to the FTC, but the agreement may bode well for children’s safety and the security around connected toys.
A massive data breach in 2015 had exposed sensitive details of over 6.3 million children which VTech had collected without obtaining parents’ explicit consent.
Back in 2015, an ethical hacker, while testing the security of servers owned by Hong Kong-based toy firm VTech, managed to access chat logs, audio recordings and photographs of over 6.3 million children. As it later turned out, such information was illegally collected by VTech using onboard cameras in toys without informing parents about such data collection activity, let alone obtaining their consent.
Following the revelation, the US Federal Trade Commission launched an investigation into VTech’s data collection activities to track the firm’s compliance with the Children’s Online Privacy Protection Act. The firm has now agreed to settle its case with the FTC by paying $650,000 as fines and by agreeing to strengthen the security around its connected toys. Considering the number of children who were affected by the breach, VTech paid an average of 22 cents for every child whose privacy it had violated.
An assessment of the privacy and security of smart toys by independent security researcher Sarah James Lewis and commissioned by Top10VPN.com has revealed that connected toys continue to feature critical vulnerabilities that impact security and safety of children.
While checking five different smart toys for vulnerabilities, the team was able to hack into all of them using Wi-Fi connections and also found that none of the toys used secure Bluetooth pairing, thereby rendering themselves vulnerable to attackers.
‘Most of the toys that we looked at provided a mechanism for updating the firmware onboard the toy. While every toy had a different update mechanism we found all of them to be flawed, often making it trivial for an attacker to damage a device or, with more skill and effort, install malicious software onto the device itself,’ Lewis noted.
While the Q50 Smart Tracking Watch allowed an attacker to intercept all communications, remotely listen to the child’s surroundings and spoof the child’s location, the Andromeda NOMAD ND1 RC Car allowed an attacker to take complete control intercept the video stream from the built in camera, the Sky Viper v2400 HD Streaming Drone allowed a hacker to intercept live video, access previously captured pictures and video, and lock users out of their device, and the AirHogs FPV High Speed Race Car allows an attacker to intercept video via the onboard Wi-Fi.
The presence of these smart toys, featuring various critical vulnerabilities, on online shopping portals and in shops significantly impacts the safety and security of children. While VTech’s admission is a positive step in the fight for better security protocols in IOT devices, a lot of work needs to be done in the days ahead.
Commenting on VTech’s promise of strengthening the security of its toys, Simon Migliano, Head of Research, Top10VPN.com says: ‘Monetary value aside, this is a great start in the fight to protect children’s safety when it comes to connected toys. However, this is just one case and there are hundreds, if not thousands of different connected toys and devices made by different manufacturers that leave children exposed to hackers.
‘Governments across the world have time and time again been warned about the dangers unsecured devices pose and must do more to ensure the safety of children by enforcing much stricter security protocols on connected toys,’ he adds.
Back in November, reacting to an increasing number of reports on insecure IoT devices, the Information Commissioner’s Office warned citizens that Internet-connected toys and other IoT devices sold during the Christmas shopping season could put the privacy and safety of children at risk.
‘You wouldn’t knowingly give a child a dangerous toy, so why risk buying them something that could be easily hacked into by strangers?,’ wrote Deputy Information Commissioner Steve Wood in a blog post.
‘In the same way that safety standards are a primary consideration for shoppers buying toys, we want those buying connected items in the coming weeks to take a pause and think about both the child’s online safety, and also the potential threat to their own personal data such as bank details, if a toy, device or a supporting app is hacked into,’ he added.