If you think electronic devices intended for kids are safer and more secure than most, prepare to have those fantasies shattered into a billion pieces. The electronic toy company Vtech had a recent security breach, and the details coming out will make your stomach turn.
According to the tech blog Gizmodo, a hacker successfully broke into the servers for Vtech’s wifi-connected tablets, digital camera, and smart watch, and made away with the full names, email addresses, passwords, and home addresses of some 4,833,678 parents. Even worse, they also took the first names, genders, and birth dates of over 200,000 children.
Just in case that’s not disturbing enough, it also came out yesterday that the hacker downloaded about 190 gigabytes — equal to tens of thousands — of photos from Vtech’s KidsConnect app. The KidsConnect app allows parents to use their smartphones to chat with their kids via Vtech’s tablets. Users are encouraged to upload a headshot, and those headshots are what was ultimately stolen by the hacker.
By far the most troubling element of the entire ordeal is how little Vtech was doing to protect the privacy and security of their customers. Most of us would assume a company with the names, home addresses, and photos of hundreds of thousands of kids would have an ironclad system in place to keep that information under wraps. As this hack revealed, Vtech was basically not even doing the bare minimum. The KidConnect app’s main security measure was an easily crackable algorithm that scrambles passwords, which was deemed “no longer safe” for use in 2012.
Security researcher Troy Hunt tells Gizmodo that all Vtech communications happened over “unencrypted connections,” even when those communications involved passwords, photos, and other personal information. Encryption is a process of encoding data so only authorized parties can read it, and it’s among the most basic security steps a company can take. The fact that Vtech wasn’t even doing that, in addition to having virtually no other security measures in place, is appalling and should make us seriously question what’s going on at other kid-friendly companies.
If there’s one bright spot in this entire mess it’s that the hacker actually spoke with MotherBoard and says he has no intention of selling the data he collected. During an encrypted chat with writer Lorenzo Franceschi-Bicchierai, the anonymous hacker even shared in our collective distress, saying, “Frankly, it makes me sick that I was able to get all this stuff. VTech should have the book thrown at them.”
Even though this security breach is specific to Vtech, it leaves us with some lingering questions about our kids’ security when using other types of devices. Vtech is not the only company making smart devices intended for children — there are any number of kids’ cameras, tablets, watches, and even smart Barbie dolls on the market. It’s not a stretch to imagine other companies could be skimping on security just like Vtech.
As we head into the holidays and are anxious to find that perfect, cool device our kids will love, we should also take into consideration the information being accessed by that device and how it can be used against us. Hopefully this breach will lead to a crackdown on kid security. Still, parents can never be too cautious.