This is why tech toys are dangerous

Suddenly, children's toys are a hacking risk. Here's what you need to know this holiday season.

Toys are dangerous.

No, I'm not talking about toys with sharp edges, toxic materials or small parts that constitute choking hazards.

I'm talking about hacking -- a new threat to the safety of children. Last week, the risk got real.

Of course, smart and connected toys can be fun for kids -- and safe, too. But as we learned last week, the new generation of toys can pose serious risks.

A Hong Kong-based company called VTech got hacked Nov. 14. VTech makes a wide variety of consumer electronics and is one of the world's largest toy makers. Some of their toys encourage the use of VTech's Kid Connect program, which enables kids to chat with parents and download content.

The hacker exposed the breach to the online publication Motherboard and claimed that the point of the hack was to expose VTech's bad security.

The hacker was able to steal names, mailing addresses, email addresses, IP addresses, download histories, the genders and birth dates of the children, pictures of the victims, chats conducted between parents and their children, and much more.

According to reports, the breach affected 6,368,509 children and 4,854,209 parents. Nearly 3 million of those children are in the U.S., and millions more are in Europe.

In this column, I'll offer an optimistic view of the hack, followed by a pessimistic one. I'll tell you the scope of the new risks to children in general and then give you great advice you've never heard before about how to keep kids safe.

The best-case scenario

The best-case scenario is that a single, ethical hacker exposed VTech's bad security. Now that the exposure has embarrassed the company, it will be shamed into a radical overhaul of its security practices and then secure customer data so that it's nearly impossible to compromise in the future.

In fact, VTech has already hired FireEye's Mandiant forensics unit to help make its infrastructure secure. In other words, no harm will come from this entire event.

That's the best-case scenario. Now brace yourself for the worst.

The worst-case scenario

Because VTech's security was so pathetically bad, it's theoretically possible that all the VTech data acquired in this hack had also been stolen previously by unethical hackers.

"All the evidence suggested I wasn't the only person outside of VTech who could have got the data," the hacker told Motherboard.

This data could be sold or posted for free on the dark Web to pedophiles, who could use the data to go "shopping" for victims by browsing the photos. They could learn all about the children for the purpose of socially engineering them or conning them, then they could use the home addresses in the database to find, exploit and even attack them.

The worst-case scenario is that VTech's bad policies and security infrastructure enabled predators to commit horrible crimes against children.

Not the only risk out there

Think of the VTech hack as a wake-up call. An increasing variety of toys and children's products are networked computers. In many cases, these toys do what traditional toys do, which is enable children to mimic adult behavior. But unlike, say, the Easy Bake Oven or a toy truck, today's toys pretend to be laptops, smartphones and other gadgets that children see their parents obsessing over.

Even traditional toys are getting Internet connections.

The most spectacular case this holiday season is Mattel's hot-selling Hello Barbie doll.


Hello Barbie enables children to chat with an artificial intelligence program in a remote data center.

Hello Barbie can engage in conversations with children. The doll connects to home Wi-Fi and works more or less like Apple's Siri. Kids ask questions (after pressing a button on the doll), and their voices are recorded, compressed and sent to remote servers run by a San Francisco company called ToyTalk, where artificial intelligence software processes the words, comes up with a response and sends it back to the doll over the Internet.

A smartphone app enables parents to see the conversations between their child and Hello Barbie; it also deletes them. The data is stored on the phone, which connects to Hello Barbie as if the doll were a home Wi-Fi hub.

While the Hello Barbie app provides parental control and peace of mind, it has also been the source of criticism over the product's security.

Security experts have reported that the Hello Barbie app connects to any Wi-Fi hub with "Barbie" in the name, and so malicious hackers could spoof the doll, connect to the phone and gain access to the data stored by the Hello Barbie app.

While the data passed between server, doll and app uses certificate-based encryption, the methods used by ToyTalk are not secure. For example, all Hello Barbie doll apps reportedly use the same hard-coded password to verify the certificate.

And the Hello Barbie system has been found to be riddled with other security holes as well.

Mattel and ToyTalk have reportedly been very responsive to reports of security vulnerabilities and have rapidly addressed many or all of them.

Here's the real takeaway from the security controversies around Hello Barbie: Because Barbie is an iconic brand, and because the toy is popular and is also being widely reported on, the product is getting massive scrutiny. Hello Barbie is an exception to how toy security is normally handled.

So while the public is super concerned about Hello Barbie, and the companies involved have been impressively responsive to those concerns, thousands of other toys are coming out under the radar. Those are the toys that pose real security threats. They're not being scrutinized like Hello Barbie, and the companies that make them aren't fixing the potential security problems.

But you can take measures to protect your children and family against these new security threats.

The best advice you've never heard for protecting kids from hackable toys

The new world of smart and connected toys requires a new sophistication on the part of parents.

We've all heard the standard advice for consumers about the privacy and security of connected products. For protecting children, I have three more tips you've probably never heard before.

1. Use a P.O. box for your billing and delivery addresses

Many toys enable you to buy additional features, content, services or add-on products. When you pay with a credit card, you'll be required to provide a billing address and a delivery address, which are both usually your home address. That information is usually lumped in there with the personal data the company stores about you and your child.

Where children are concerned, the home address is the single most dangerous bit of personal information.

Instead of your home address, use a P.O. box, so you never have to worry about malicious hackers posting your child's home address on a criminal website somewhere.

2. Be wary of parental controls

Parental controls can be secure, but they can also provide the best access point for hackers.

Think about it like this: If the data you have access to as a parent is protected only by a password, or is accessible online or over wireless, then hackers might be able to get access to that data as well.

For some products, kids might be safer if you don't use those parental controls.

3. Teach kids to code

The biggest threat to the lifelong security of children is their own ignorance.

We've reached a stage in the evolution of technology where consumers can buy and use sophisticated, connected products -- including toys -- that they never think of as computers.

Take advantage of learning opportunities -- such as this week's Hour of Code event -- to help your children become tech savvy. If you do that, your kids will be better equipped to think about the security risks for themselves. Understanding how something works is the best way to understand its weaknesses.

Why toys are a special risk

Smart and connected toys can be great for kids, but only if they protect the privacy of both parent and child.

When toys are dangerous, it's because of culture, not the presence of technology. In fact, smart and connected toys are no different from any other consumer electronics gadget, in theory.

The difference is that toy companies may be less likely to obsess over security than companies where technology is the main business. Also, the parents and children who buy or use these toys tend to be thinking of the benefits of technology features without ever considering the risks.

Don't let this happen to you and your family. Know the risks. Understand the technology involved, and be smart and informed about the new world of connected toys.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleFireEyeMattelSmartVTech

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mike Elgan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place