Should IoT toys like Hello Barbie freak you out? Here, we analyze smart toys’ security concerns and examine what companies need to do to handle data safely
With Christmas just around the corner, parents everywhere have been hunting for this season’s hottest toys. One of the biggest trends for kids – as if it were any surprise – have been toys that connect to the Internet, adding fun features and a whole new dimension to play.
Toy manufacturers are rushing to gain a foothold in this market, hoping to emulate how connected devices like smart watches and health trackers have become popular with adults. A central element that makes these devices so effective is their ability to learn about users by collecting, analyzing, and in some cases saving data on their servers.
For all their benefits, these toys come with a host of risks that parents and even the companies themselves are just starting to wake up to. Many parents and experts are wondering whether their children’s information is being kept safe, and how vulnerable they are to malicious hackers.
All this begs an important question: Is now the right time to get a “smart” toy?
Six million kids’ personal data gets stolen from smart toy manufacturer VTECH
One of the most severe cases came to light this month when news broke that the Hong Kong-based manufacturer VTECH had been the victim of hackers. The revelation was accompanied by a wave of widespread shock that the attackers had managed to walk away with the personal data of over six million kids.
According to reports, the data theft from VTECH’s servers rendered details like names, birthdates, and addresses belonging to customers who had bought the company’s InnoTab tablets or Kidizoom smartwatches. The information collected by the company is reported to have been used for downloading content like educational material and games from their Learning Lodge app store.
Amit Ashbel, a Cyber Security Evangelist at Checkmarx who posted on the attack, spoke with Geektime about the hack, saying that, “The hacking was on a really basic level. The data was stolen with an SQL injection, which is very common. It could have been very easy to prevent through better security in the coding.”
“Their level of encryption was weak at best and out of date when compared to industry standards,” Ashbel explained, highlighting an issue that is unfortunately exceedingly common throughout the sector.
Is enough being done to protect our data?
That hackers are out there trolling for personal information like credit card and social security numbers, as well as other valuable tidbits, should come as no surprise. The online space has long been a juicy target for hackers seeking to break into databases containing financial information, leading security teams supposedly to beef up their protection efforts.
The growth of the Internet of Things sector presents a new challenge to the industry as these devices collect heaps of data on us and require us to give out our information to an even wider circle of actors. Each of these companies and their devices become potential liabilities that exponentially increase the risk of exposure.
David Mirchin, the Head of the Technology and Privacy Practice at Meitar Law Firm in Israel explains to Geektime that, “People tend not to value their privacy very much and are ready to give it up for small incentives,” citing discounts at retailers or access to online stores for downloads like in the case of VTECH.
Signing up for accounts via Google, Facebook, Amazon, and a number of other services has become nearly ubiquitous in the online era. The circle of companies that collect and store data is growing rapidly as the public expects a wider range of services, all while these businesses are hungrily seeking more data about their users to increase sales. The question is whether all of these actors are really up to the task of keeping this information private like they claim.
The field of IoT offers exciting possibilities for receiving software updates (new versions of iOS), downloads (the App Store or Google Play), making purchases easier (think Amazon Dash buttons), and other great services such as tracking our health on a Fitbit. We open up accounts with these companies, letting them know who we are, allowing them to learn about our habits, and in many cases, giving them our credit card information for seamless payments.
As adults, we have a reasonable expectation that the companies we give out data to will act responsibly to protect our information, but we understand that no system is ever 100% secure and that hacking is always a risk.
With that in mind, there is a question over what is the role of a company that holds our data? What steps do they have to take to ensure that it does not fall into the hands of hackers, and if it does, what is their liability?
Mirchin explains that in many cases in the past, companies had not been held legally responsible for data being exposed from their systems if the data stolen was not sensitive and they had taken reasonable security measures. Generally, a company that has been hacked has a duty to notify their users of the hack (47 states in the United States have data breach notification laws). So far, though, they have not been taken to task for their weak defenses.
However, this is status quo is rapidly changing. Mirchin says that he is seeing a shift among government agencies in how they expect data to be secured. He says that the EU announced a draft proposal in mid December. In sectors like Banking, Energy, Transportation, Health and Digital Infrastructure (Internet exchange points and the domain name system, for example), Mirchin notes that there are starting to be mandatory security standards and data breach reporting.
In the EU, he says, “They are proposing a lower level (the exact requirements for which aren’t clear yet)” for “important digital businesses, like cloud computing services, online marketplaces and search engines.”
In the United States, the Federal Trade Commission has already begun addressing these kinds of cases with their findings against Wyndham Hotels, the owners of chains like Howard Johnson, Ramada, and others. Wyndham was hacked three times over two years, leading to the theft of data from over 500,000 user accounts. The stolen data was later used to run up fraudulent charges topping $10.6 million. In their lawsuit against the company, the FTC claimed that after the initial hack in 2008, the company had failed to fix basic flaws in their security that allowed the hackers to break in and steal more data later, and sued for them to implement more stringent security standards.
On December 9, Wyndham settled in the case with the government agency, and according to the statement to the press, “will establish a comprehensive information security program designed to protect cardholder data – including payment card numbers, names and expiration dates. In addition, the company is required to conduct annual information security audits and maintain safeguards in connections to its franchisees’ servers.”
“This settlement marks the end of a significant case in the FTC’s efforts to protect consumers from the harm caused by unreasonable data security,” said FTC Chairwoman Edith Ramirez in her remarks to the press. “Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area.”
In a similar story across the pond, British privacy regulators fined Sony £250,000 after the hacking of their PlayStation Network. The Information Commissioner’s Office found them to be in breach of the Data Protection Act for not doing enough to prevent the exposure of users’ personal details including names, birthdays, and credit card information.
Mirchin says that based on these cases, VTECH could find themselves liable for damages should the parents of the exposed children sue or government agencies in the U.S, Europe, or Asia decide to bring enforcement actions.
How can government play a bigger role in protecting data?
At this point, Mirchin says that there are not hard and fast global regulations when it comes to protecting data, saying that the rapid advances in technology would quickly make any legally recognized standards outdated and irrelevant.
He tells Geektime that the FTC has made a great start by summarizing “Ten Major Lessons” from its more than 50 enforcement actions on privacy and security violations. The focus is on understanding the principals, rather than mandating specific technologies. A major principle is to think about security from the very beginning. “Don’t collect information you don’t need,” says Mirchin. “No one can steal information you don’t have.” If a company thinks about privacy in the beginning, they can avoid a lot of expense and legal headaches down the road.
Mirchin offers four other “commandments,” which include ideas like:
1. Get rid of what you don’t need
2. Protect the information you keep.
3. Train your staff.
4. Create a plan to respond to security incidents.
The FTC issued a staff report in January titled “internet of things: Privacy & Security in a Connected World” where they began to outline how they intend to use existing legislation and principles and apply them to this new technology. While this is a good start, the agency has a lot of grey areas to work through as their approach in this field continues to evolve.
How would data protection regulations apply to startups?
There can be some variance between standards in different sectors. When approaching the issue of regulation, Mirchin says that consideration should be given to how they would apply to startups. He says that the government wants to encourage innovation and there is a risk that overregulation can make compliance way too expensive for these smaller companies that do not have capabilities to contend with the larger competitors if they are constricted through regulation. Mirchin thinks that not all laws should be applicable to companies of all sizes, meaning that smaller companies (either by revenue or employee size) should have more flexibility with the regulation in order to be competitive.
Mirchin offers the National Institute of Standards and Technology, which serves as the federal agency charged with working with the industry on areas of standards and technology, as a possible framework for establishing a model of self-regulation for the IoT space. He cites their framework for cyber security for infrastructure that is largely voluntary but mandatory for critical sectors like banking.
“If there are voluntary standards, the government can look to them as industry standards, setting the bar for what should be expected,” says Mirchin. “If you’re not holding up to these standards, then you put yourself at higher risk of being sued.”
“We need to find a balance between security and innovation,” explains Mirchin, “The level of security should depend on the sensitivity of the data, with enough consideration for startups so that they don’t choke on compliance. Where this line falls is difficult to determine, but it needs to be part of the decision making process.”
Are companies doing enough to protect children online?
The types of data and exposure that constitutes these higher risk categories is far from clear cut. With so much of the efforts in improving security being pointed towards financial targets (and poorly at that) where there are clear monetary damages demanding attention, the issue of apps / services for children is basically buried under the radar.
If we take the VTECH case, shouldn’t there be higher standards of security when it comes to kids data?
The Children’s Online Privacy Protection Act (COPPA) that came into effect in 2000 aimed to provide kids with a layer of defense against data collection. According to the law, it is illegal for a company to collect personal information online from children under the age of 13 without a parent’s express permission.
COPPA applies not just to Internet sites, but to mobile apps as well. Early in 2015, the FTC said that they would also consider applying COPPA’s protections for children to IoT.
One of the issues that has come up is that many of the manufacturers of the devices aimed at kids have little to no background in operating large user info databases.
“The problem with IoT is that a lot of vendors have entered the market, dealing in areas of consumer electronics to clothing that do not have the necessary experience or awareness in securing data,” explains Ashbel.
He gives the example that many devices are found to be working with a default password and cannot be configured to allow changes. If all devices of a certain model are using the same password, then a hacker can simply look up the password for one and use it for all the rest.
One of the hottest toys on the market in the lead up to Christmas is Mattel’s Hello Barbie, a connected version of the classic doll that is capable of holding “two way conversations” with a child. When a child speaks with the Barbie, it relays the conversation back to a server where it can find the right response, while at the same time creating a recording that parents can then upload to social media.
In an email from the ToyTalk team, the company cites that they have been working with the Bluebox security company to identify and mitigate security vulnerabilities in their system.
The company has taken steps to address future security concerns, working through a program with HackerOne that promotes the community to report vulnerabilities, offering up to $10,000 cash for bringing them to their attention.
Explaining their security measures, a ToyTalk representative wrote to Geektime in an email, “ToyTalk will continue to actively engage the security research community through Responsible Disclosure, and will continue to make improvements to Hello Barbie as may be necessary from time to time. Parents can continue to be confident that the integrity of their children’s data is secure, and that Hello Barbie will continue to receive any new security updates as they are available.”
Responding to a question about what kind of information they collect and where it goes, ToyTalk wrote that, “We capture the minimum amount of data in order to operate our service. We do not capture and never ask for personally identifiable information from children, such as their names and addresses. We only share recordings with our vendors for the sole purpose of improving speech recognition. We enter into formal legal contracts with those vendors whereby they are compelled to comply to the same COPPA guidelines mandated by the U.S. Federal Trade Commission with which ToyTalk must comply.”
Privacy activists and others have come out strongly against this new toy, warning that it makes an ideal target for hackers who can turn it into a listening device, or find other reasons for attacking the system. It is worth noting that Hello Barbie is not the first connected doll to have criticism. The My Friend Cayla doll faced a fair amount of ridicule when hackers broke into its backend and made it start cursing.
So far, a significant number of parents seem to have put aside any privacy concerns that they might have had, with the Blonde Hello Barbie already listed as sold out on Mattel’s website.
Steps companies can take to reduce the risk of exposing user data
If there is one truth in the world of cyber security, it’s that no system is ever unhackable. However, there are precautions that consumers should expect from those companies with whom they entrust their data to take.
Josh Corman of I Am The Cavalry, a watchdog organization that promotes a more serious approach to security in technology, asks “Why do we think that software should be any more secure than our credit cards?” This rings especially true when we understand how much of our vital financial information is poorly taken care of.
Ashbel, the cyber expert mentioned earlier, tells Geektime that, “Products should only hit the market after their code has been analyzed using the proper application security solutions.”
Moreover, he says that, “Organizations must be held responsible for the data that they collect from their users and should be forced to comply with industry standards and best practices.”
With some estimates showing global spending on IoT galloping past $1 trillion to the $1.3 trillion mark over the next five years, the safe money is that the industry will continue to push boundaries.
When it comes to whether or not parents should be rushing to buy toys like the Hello Barbie, the answer is far from clear.
After reviewing their policies for how to fix holes in their security and interact with the community, it seems like ToyTalk is doing everything pretty much right. Is the data that could be stolen in the event of a hack potentially that damaging if it get’s taken? I’m not so sure. For the time being, toys do not rate as high on my own priority list as banking, email, or other potentially catastrophically important accounts.
That said, I still have a few outstanding issues.
The advantages of increased connectivity in the home, on the road, and in a million other parts of our lives are generally clear, and in a majority of cases, innovative and wonderful ideas. But before we rush to embrace the IoT revolution too heartily, we need to take into account the potential risks that come along with being plugged in.
Everything and everyone always bares the risk of being hacked. How do the inherent benefits of giving connected toys to children stand against the risk of their personal data, voice, thoughts, or even images? We accept and expect this risk from our smartphones and apps, but are still unprepared to treat our toys with suspicion.
After all, if a child can’t confide in their dolls, then what are we left with?
Which kinds of dangers are we willing to put on ourselves, versus what is fair to place on children are questions that parents should be asking and making educated decisions about. Are dolls that record a child’s voice worth the risks? The jury is still out and is unlikely to come back with a verdict anytime soon.
IoT as a field is at such an early stage that it is hard to tell where it will go. Up until now, the industry has been pushing out devices in order to stir up excitement, but are still far away from full implementation. Readers can expect that the focus in 2016 will be on how to make the IoT more secure and workable. Whether or not this likely push can bleed into the rest of cyberspace may be too hopeful at this point.
VTECH is likely to face a lawsuit in the coming months and years, as are other companies who fail to take the necessary steps to secure their precious data.
After speaking with Mirchin about the unclear standards and complexity of the issues at hand, we both walked away with one conclusion. It is a great time to be working as an IoT security consultant.