VTech hack brings up questions about children’s data and interactive toys

By Larry Magid

By now you may have heard about the data breach at VTech, which makes electronic toys for very young children ranging from zero to six years old. Its line includes “My First Tablet” aimed at toddlers, the Kidizoom Action Cam for preschoolers, smart watches for kids and a line of “interactive dolls that help children learn through role-play.”

While this hack was limited to the company’s database (not its toys), it brings up the wider question of whether interactive children’s toys are vulnerable.

According to the company, data stored on its Learning Lodge app store was comprised in November, and included names, email addresses, passwords, secret questions and answers for password retrieval, IP addresses, mailing addresses and download history for about 5 million accounts as well as the the names, genders and birth dates of the children. The company said that its database doesn’t not contain what it calls “personal identification data” such as credit card information or Social Security numbers.

I disagree with the company’s claim the breach doesn’t include “personal identification data.” True, there were no Social Security or driver’s license information but names, addresses and birth dates constitute valuable information for identity thieves and does put the children at some risk. What some parents may not realize is that children are prime targets for identity theft precisely because they almost always have a squeaky clean credit rating. Also, identity thieves know that the crime can go undetected for years, until a child is 17 or 18 and applies for a student loan or credit card.

It’s bad enough when data about adults is compromised in an attack but particularly bothersome when attackers scoop up data about children.

Is Barbie at risk?

barbieAlthough this breach had nothing to do with Mattel or the new Hello Barbie doll, it does come just as this giant toy maker is promoting its new interactive doll that not only speaks to children, but listens to and stores the child’s information on cloud servers. The technology behind the doll is from San Francisco-based ToyTalk, which said in a blog post that the doll sends a child’s audio to ToyTalk’s servers and in return receives an audio file of Barbie’s response to play. The company added that “both directions of this communication use asymmetric encryption technology,” and that data “is protected while it is sent to the server, and it also authenticates the response to ensure that it is coming from ToyTalk’s servers.” The company also said that “children’s audio data is not stored on the doll and no conversation history is stored on the doll.”

There are reports that Hello Barbie was hacked including one from security researcher Matt Jakubowski who told Global News that he was able to “extract system information, Wi-Fi network names, account IDs for the account the doll was connected to and even MP3 files,” though he said that the MP3 files were not from the children, but stock answers that the doll can say when not connected to the Internet.

In response, ToyTalk said that the hack involved taking the doll apart and desoldering a chip. It wasn’t done on the Internet and that “it’s important to note that in all of these cases, no children’s audio was accessed, no passwords were compromised, and no dolls were made to say anything unintended.”

From what I can determine, ToyTalk is taking security and privacy very seriously, but that doesn’t mean that they are necessarily hack proof and it’s no guarantee that other companies who join this space will be as security conscious as this innovator.