return icon

VTech hack exposes ID theft risk in connecting kids to Internet

 Parents who gave their child a Kidizoom smartwatch or a VTech InnoTab tablet may have exposed them to identity theft after Hong Kong-based VTech said hackers stole the personal information of more than 6 million children.

Parents who gave their child a Kidizoom smartwatch or a VTech InnoTab tablet may have exposed them to identity theft after Hong Kong-based VTech said hackers stole the personal information of more than 6 million children.



VTech's products are seen on display at a toy store in Hong Kong, China November 30, 2015. 


The breach underscores how digital products aimed at kids often have far weaker security than other computer products, and may pose a threat to a booming industry. Shipments of toys that connect to the Internet will rise 200 percent over the next five years, according to estimates by UK-based Juniper Research.

It's not clear what the motive was for the VTech breach nor whether it has resulted in any identity theft so far. Still, it's a warning for people who don't understand how much data and sensitive information is in a child's toy.

"The last thing you would ever imagine is that a toy manufacturer would lose your child's identity," said Liam O'Murchu, a Symantec Corp (SYMC.O) researcher known for his work dissecting complex malware produced by nation states. "This shows that it's harder and harder to do things safely online," he said.

In VTech's case, buyers of the company's cameras, watches and tablets are encouraged to provide names, addresses and birth dates when signing up for accounts where they can download updates, games, books and other content.

VTech said the hackers compromised its Learning Lodge app store, which provides content for children's tablets, and its Kid Connect mobile app service that lets parents communicate with those tablets.

Toys that gather data on the user, like VTech's line of cameras, watches and tablets and their associated websites, will grow by 58 percent annually, according to Juniper.

That category includes dolls like Mattel Inc's (MAT.O) recently introduced Hello Barbie, which connects to home wireless networks and communicates with servers to enable conversations by uploading audio and getting responses from the cloud.

Mobile security firm Bluebox and independent security researcher Andrew Hay on Friday disclosed that they had jointly uncovered multiple vulnerabilities in iOS and Android apps that work with the device, as well as its cloud servers operated by technology partner ToyTalk.

Among their findings, they claimed that the app could be hacked to reveal passwords, could be tricked into connecting to hostile networks controlled by hackers and that the servers were vulnerable to some types of attacks.

Mattel spokesman Michelle Chidoni said that the toymaker and Hello Barbie technology partner ToyTalk have taken steps to ensure the products meets security and safety standards.

ToyTalk said in a statement that it had already fixed many of this issues raised.

It's too soon to say if the breach will hurt VTech's sales. Still, its stock fell 2.6 percent this week as it hired forensic experts, responded to government investigations on three continents and temporarily shut down more than a dozen websites, including a messaging service and kids' app store.

Mark Stanislav, a researcher at the security firm Rapid 7 Inc (RPD.O), whose wife is expecting their first child in a few weeks, began looking into problems with children's products after hearing about security flaws in baby monitors, and he subsequently found such problems in products from eight baby monitor vendors.

After disclosing the flaws to the companies earlier this year, he said most have been fixed. He told Reuters he has since found problems in websites that connect other types of devices to kids, including one from a major manufacturer. He will go public with those findings next month after giving manufacturers time to fix the problems.

Identity thieves use compromised data to pose as their victims, get loans or credit cards or apply for services such as utilities. Other types of criminals assume stolen identities to evade capture by police.


Children offer credit slates to fraudsters that can be exploited for years without the victim's knowledge, said Tom Kellermann, chief cybersecurity officer with Trend Micro Inc (4704.T).

"Kids have a longer life in front of them and they have completely clean credit, which makes them more valuable," Kellermann said.

A child's name, birth date, email address and Social Security number are worth $30 to $40 on some underground markets, more than the $20 value of most adult profiles, he said.

Research by Carnegie Mellon University in 2011 found that more than 10 percent of a sample of stolen children's social security numbers had some sort of fraudulent activity associated with them, a proportion 51 times higher than adults'.

A child might not find out that their identity had been stolen until they are in their late teens, said Michelle Dennedy, Cisco Systems Inc's (CSCO.O) chief privacy officer who founded an identity-theft site for parents,

"It's a pain when you are an adult, but for a child it can have so much more harm," said Dennedy. "Somebody might fail a background check for first job, or get arrested because a child molester stole their identity."

Still, Vtech has some frustrated customers, even though cyber experts said the stolen VTech data has yet to turn up on forums where such information is sold.

"My concern is: Myself and other unlucky parents out there buying these products during the holidays and have no warning that they may not be able to use these products now or in the future," said Sarah Brace, a Canadian who commented on VTech's Facebook pages.

And it may attract U.S regulatory scrutiny. U,S. rules enforced by the Federal Trade Commission limit how personal information collected online from children under age 13 is treated. That information can include photos, videos and chat logs, just the sort of data that appears to have been collected by VTech, said Phyllis Marcus, a former FTC official now at the law firm Hunton & Williams LLP.

The FTC declined to confirm or deny any probe of VTech. Authorities in Hong Kong, the United Kingdom and the U.S. states of Connecticut and Illinois have said they are looking into the breach.

Source: Reuters


Da Nang aims to attract ultra-wealthy

A livable city is certainly worth visiting, but a place worth visiting doesn’t mean it is livable. Da Nang City is striving to become a livable city and a destination for the ultra-wealthy.

Fake news, malicious information spread mostly via Google, Facebook

Some foreign companies providing cross-border services to Vietnam are still not preventing malicious information on their platforms.

Ministry proposes cuts to VAT, luxury taxes to help lower petrol prices

The Ministry of Finance (MOF) has submitted to the Prime Minister a plan to reduce the luxury tax and VAT on petroleum products in an effort to curb prices.

'Hop on Hop off' with Tinder Explore this summer

For the first time, young Tinder users joined an iconic double-decker bus ride, “Tinder Explore - Match Your Vibe bus", to explore exciting dating spots in HCM City.

Five local destinations win Asia’s Best Awards

Five Vietnamese destinations were named among the Top 10 leading cities and islands in the Southeast Asian region, as announced by US magazine Travel + Leisure’s Asia’s Best Awards 2022.

Vietnam to export passion fruits to China from July 1

The General Administration of Customs (GAC) of China has just approved the pilot import of Vietnamese passion fruits from July 1, according to the Vietnam Sanitary and Phytosanitary Notification Authority and Enquiry Point (SPS Vietnam).

The Moffatts and 911 schedule Hanoi performance

Some of the world’s leading bands, including The Moffatts and 911, are set to play a concert at Yen So Park-Gamuda Land in Hoang Mai district of Hanoi on August 6.

Transfermarkt names Quang Hai as local player highest market value

Vietnamese midfielder Nguyen Quang Hai has been valued at Є400,000, equal to VND10 billion, and tops the list of Vietnamese footballers with the highest market value, according to renowned German football site Transfermarkt.

Toy figurine making in Xuan La village

Xuan La village in Hanoi’s Phu Xuyen district has long been famous for making To He, a traditional toy made of rice powder. This is the only village in Vietnam that makes the toy figurine

Vietnam opposes and demands Taiwan to cancel live-fire drills on Ba Binh island

Vietnam resolutely opposes and demands Taiwan to cancel live-fire drills in the waters around Ba Binh island belonging to Vietnam’s Truong Sa (Spratly) archipelago and not to repeat similar violations in the future.

Calligraphy book on poet Nguyen Dinh Chieu recognised as world record

WorldKings and Vietkings on July 1 recognised Collection of Nguyen Dinh Chieu’s Poems, a calligraphy book on poet Nguyen Dinh Chieu as the largest calligraphy book in Vietnamese of poet Chieu's poems in the world.

Hanoi market sees strong development in premium offices

Office real estate is thriving, with new Grade A buildings entering the Hanoi market at the end of the year, according to Savills Vietnam.

Vietnam's HDPE pellets not subject to safeguarding duties in Philippines

The Philippine Tariff Commission (TC) has announced the final conclusion on a safeguard investigation on High-Density Polyethylene (HDPE) pellets imported from many countries, including Vietnam.

NA deputy: drug bidding mechanism is unreasonable

Pham Khanh Phong Lan, a National Assembly from HCM City, said the problems in the healthcare sector have existed for a long time but became even clearer during Covid-19.

Vietnam looks forwards to stronger investment from US, Europe

Vietnam is hoping to attract more investment from the US, Europe and major global enterprises under a recently approved strategy on foreign investment cooperation.