|
VTech
hack exposes ID theft risk in connecting kids to Internet
Reuters – Mon, Dec 7, 2015 05:23 GMT
By Jim Finkle and Jeremy Wagstaff
BOSTON/SINGAPORE (Reuters) - Parents who gave their child a
Kidizoom smartwatch or a VTech InnoTab tablet may have exposed them to identity
theft after Hong Kong-based VTech said hackers stole the personal information
of more than 6 million children.
The breach underscores how digital products aimed at kids often
have far weaker security than other computer products, and may pose a threat to
a booming industry. Shipments of toys that connect to the Internet will rise
200 percent over the next five years, according to estimates by UK-based
Juniper Research.
It's not clear what the motive was for the VTech breach nor
whether it has resulted in any identity theft so far. Still, it's a warning for
people who don't understand how much data and sensitive information is in a
child's toy.
"The last thing you would ever imagine is that a toy
manufacturer would lose your child's identity," said Liam O'Murchu, a
Symantec Corp researcher known for his work dissecting complex malware produced
by nation states. "This shows that it's harder and harder to do things
safely online," he said.
In VTech's case, buyers of the company's cameras, watches and
tablets are encouraged to provide names, addresses and birth dates when signing
up for accounts where they can download updates, games, books and other
content.
VTech said the hackers compromised its Learning Lodge app store,
which provides content for children's tablets, and its Kid Connect mobile app
service that lets parents communicate with those tablets.
Toys that gather data on the user, like VTech's line of cameras,
watches and tablets and their associated websites, will grow by 58 percent
annually, according to Juniper.
That category includes dolls like Mattel Inc's recently introduced
Hello Barbie, which connects to home wireless networks and communicates with
servers to enable conversations by uploading audio and getting responses from
the cloud.
Mobile security firm Bluebox and independent security researcher
Andrew Hay on Friday disclosed that they had jointly uncovered multiple
vulnerabilities in iOS and Android apps that work with the device, as well as
its cloud servers operated by technology partner ToyTalk.
Among their findings, they claimed that the app could be hacked to
reveal passwords, could be tricked into connecting to hostile networks
controlled by hackers and that the servers were vulnerable to some types of
attacks.
Mattel spokesman Michelle Chidoni said that the toymaker and Hello
Barbie technology partner ToyTalk have taken steps to ensure the products meets
security and safety standards.
ToyTalk said in a statement that it had already fixed many of this
issues raised.
It's too soon to say if the breach will hurt VTech's sales. Still,
its stock fell 2.6 percent this week as it hired forensic experts, responded to
government investigations on three continents and temporarily shut down more
than a dozen websites, including a messaging service and kids' app store.
Mark Stanislav, a researcher at the security firm Rapid 7 Inc,
whose wife is expecting their first child in a few weeks, began looking into
problems with children's products after hearing about security flaws in baby
monitors, and he subsequently found such problems in products from eight baby
monitor vendors.
After disclosing the flaws to the companies earlier this year, he
said most have been fixed. He told Reuters he has since found problems in
websites that connect other types of devices to kids, including one from a
major manufacturer. He will go public with those findings next month after
giving manufacturers time to fix the problems.
Identity thieves use compromised data to pose as their victims,
get loans or credit cards or apply for services such as utilities. Other types
of criminals assume stolen identities to evade capture by police.
CLEAN SLATES
Children offer credit slates to fraudsters that can be exploited
for years without the victim's knowledge, said Tom Kellermann, chief
cybersecurity officer with Trend Micro Inc.
"Kids have a longer life in front of them and they have
completely clean credit, which makes them more valuable," Kellermann said.
A child's name, birth date, email address and Social Security
number are worth $30 to $40 on some underground markets, more than the $20
value of most adult profiles, he said.
Research by Carnegie Mellon University in 2011 found that more
than 10 percent of a sample of stolen children's social security numbers had
some sort of fraudulent activity associated with them, a proportion 51 times
higher than adults'.
A child might not find out that their identity had been stolen
until they are in their late teens, said Michelle Dennedy, Cisco Systems Inc's
chief privacy officer who founded an identity-theft site for parents,
theidentityproject.com.
"It's a pain when you are an adult, but for a child it can have
so much more harm," said Dennedy. "Somebody might fail a background
check for first job, or get arrested because a child molester stole their
identity." Still, Vtech has some frustrated customers, even though cyber
experts said the stolen VTech data has yet to turn up on forums where such
information is sold.
"My concern is: Myself and other unlucky parents out there
buying these products during the holidays and have no warning that they may not
be able to use these products now or in the future," said Sarah Brace, a
Canadian who commented on VTech's Facebook pages.
And it may attract U.S regulatory scrutiny. U,S. rules enforced by
the Federal Trade Commission limit how personal information collected online
from children under age 13 is treated. That information can include photos,
videos and chat logs, just the sort of data that appears to have been collected
by VTech, said Phyllis Marcus, a former FTC official now at the law firm Hunton
& Williams LLP.
The FTC declined to confirm or deny any probe of VTech.
Authorities in Hong Kong, the United Kingdom and the U.S. states of Connecticut
and Illinois have said they are looking into the breach.
(Reporting by Jim Finkle and Jeremy Wagstaff. Additional reporting
by Diane Bartz in Washington and Subrat Patnaik in Bangalore. Editing by
Jonathan Weber and John Pickering)
| ||||||
| ============================================== |
https://www.youtube.com/watch?v=HTgYHHKs0Zw&__scoop_post=bcaa0440-2548-11e5-c1bd-90b11c3d2b20&__scoop_topic=2455618
==============================================
**Important note** - contact our company for very powerful solutions for IP management (IPv4 and IPv6, security, firewall and APT solutions:
www.tabularosa.net
In addition to this blog, Netiquette IQ has a website with great assets which are being added to on a regular basis. I have authored the premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". My new book, “You’re Hired! Super Charge Your Email Skills in 60 Minutes. . . And Get That Job!” will be published soon follow by a trilogy of books on Netiquette for young people. You can view my profile, reviews of the book and content excerpts at:
www.amazon.com/author/paulbabicki
If you would like to listen to experts in all aspects of Netiquette and communication, try my radio show on BlogtalkRadio Additionally, I provide content for an online newsletter via paper.li. I have also established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. Further, I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and have been a contributor to numerous blogs and publications.
Lastly, I
am the founder and president of Tabula
Rosa Systems, a company that provides “best of breed” products for network,
security and system management and services. Tabula Rosa has a new blog and Twitter site which offers great IT
product information for virtually anyone.
==============================================
No comments:
Post a Comment