Analysis: VTech hack exposes ID theft risk in connecting kids to Internet

VTech Holdings

06/12/2015 13:00

By Jim Finkle and Jeremy Wagstaff 
    BOSTON/SINGAPORE, Dec 6 (Reuters) - Parents who gave their 
child a Kidizoom smartwatch or a VTech InnoTab tablet may have 
exposed them to identity theft after Hong Kong-based VTech said 
hackers stole the personal information of more than 6 million 
children. 
    The breach underscores how digital products aimed at kids 
often have far weaker security than other computer products, and 
may pose a threat to a booming industry. Shipments of toys that 
connect to the Internet will rise 200 percent over the next five 
years, according to estimates by UK-based Juniper Research. 
    It's not clear what the motive was for the VTech breach nor 
whether it has resulted in any identity theft so far. Still, 
it's a warning for people who don't understand how much data and 
sensitive information is in a child's toy. 
    "The last thing you would ever imagine is that a toy 
manufacturer would lose your child's identity," said Liam 
O'Murchu, a Symantec Corp  SYMC.O  researcher known for his work 
dissecting complex malware produced by nation states. "This 
shows that it's harder and harder to do things safely online," 
he said. 
    In VTech's case, buyers of the company's cameras, watches 
and tablets are encouraged to provide names, addresses and birth 
dates when signing up for accounts where they can download 
updates, games, books and other content.  
    VTech said the hackers compromised its Learning Lodge app 
store, which provides content for children's tablets, and its 
Kid Connect mobile app service that lets parents communicate 
with those tablets. 
    Toys that gather data on the user, like VTech's line of 
cameras, watches and tablets and their associated websites, will 
grow by 58 percent annually, according to Juniper.  
    That category includes dolls like Mattel Inc's  MAT.O  
recently introduced Hello Barbie, which connects to home 
wireless networks and communicates with servers to enable 
conversations by uploading audio and getting responses from the 
cloud.  
    Mobile security firm Bluebox and independent security 
researcher Andrew Hay on Friday disclosed that they had jointly 
uncovered multiple vulnerabilities in iOS and Android apps that 
work with the device, as well as its cloud servers operated by 
technology partner ToyTalk. 
    Among their findings, they claimed that the app could be 
hacked to reveal passwords, could be tricked into connecting to 
hostile networks controlled by hackers and that the servers were 
vulnerable to some types of attacks.      
    Mattel spokesman Michelle Chidoni said that the toymaker and 
Hello Barbie technology partner ToyTalk have taken steps to 
ensure the products meets security and safety standards.  
    ToyTalk said in a statement that it had already fixed many 
of this issues raised.  
    It's too soon to say if the breach will hurt VTech's sales. 
Still, its stock fell 2.6 percent this week as it hired forensic 
experts, responded to government investigations on three 
continents and temporarily shut down more than a dozen websites, 
including a messaging service and kids' app store.  
    Mark Stanislav, a researcher at the security firm Rapid 7 
Inc  RPD.O , whose wife is expecting their first child in a few 
weeks, began looking into problems with children's products 
after hearing about security flaws in baby monitors, and he 
subsequently found such problems in products from eight baby 
monitor vendors. 
    After disclosing the flaws to the companies earlier this 
year, he said most have been fixed. He told Reuters he has since 
found problems in websites that connect other types of devices 
to kids, including one from a major manufacturer. He will go 
public with those findings next month after giving manufacturers 
time to fix the problems. 
    Identity thieves use compromised data to pose as their 
victims, get loans or credit cards or apply for services such as 
utilities. Other types of criminals assume stolen identities to 
evade capture by police.  
     
    CLEAN SLATES 
    Children offer credit slates to fraudsters that can be 
exploited for years without the victim's knowledge, said Tom 
Kellermann, chief cybersecurity officer with Trend Micro Inc 
 4704.T . 
    "Kids have a longer life in front of them and they have 
completely clean credit, which makes them more valuable," 
Kellermann said. 
    A child's name, birth date, email address and Social 
Security number are worth $30 to $40 on some underground 
markets, more than the $20 value of most adult profiles, he 
said.  
    Research by Carnegie Mellon University in 2011 found that 
more than 10 percent of a sample of stolen children's social 
security numbers had some sort of fraudulent activity associated 
with them, a proportion 51 times higher than adults'.  
    A child might not find out that their identity had been 
stolen until they are in their late teens, said Michelle 
Dennedy, Cisco Systems Inc's  CSCO.O  chief privacy officer who 
founded an identity-theft site for parents, 
theidentityproject.com. 
    "It's a pain when you are an adult, but for a child it can 
have so much more harm," said Dennedy. "Somebody might fail a 
background check for first job, or get arrested because a child 
molester stole their identity." 
    Still, Vtech has some frustrated customers, even though 
cyber experts said the stolen VTech data has yet to turn up on 
forums where such information is sold. 
    "My concern is: Myself and other unlucky parents out there 
buying these products during the holidays and have no warning 
that they may not be able to use these products now or in the 
future," said Sarah Brace, a Canadian who commented on VTech's 
Facebook pages.  
    And it may attract U.S regulatory scrutiny. U,S. rules 
enforced by the Federal Trade Commission limit how personal 
information collected online from children under age 13 is 
treated. That information can include photos, videos and chat 
logs, just the sort of data that appears to have been collected 
by VTech, said Phyllis Marcus, a former FTC official now at the 
law firm Hunton & Williams LLP. 
    The FTC declined to confirm or deny any probe of VTech. 
Authorities in Hong Kong, the United Kingdom and the U.S. states 
of Connecticut and Illinois have said they are looking into the 
breach. 
 
 (Reporting by Jim Finkle and Jeremy Wagstaff. Additional 
reporting by Diane Bartz in Washington and Subrat Patnaik in 
Bangalore. Editing by Jonathan Weber and John Pickering) 
 ((jim.finkle@thomsonreuters.com; +1 617-856-4344; Reuters 
Messaging: jim.finkle.thomsonreuters.com@reuters.us)) 
 
Keywords: VTECH CYBERATTACK/KIDS