VTech hack exposes parents’ nightmare: The Internet of broken toys

Toys are supposed to bring a sense of fun and wonder to a child’s playtime, but as November’s VTech Kids hack demonstrated, toys these days can also bring threats from the Internet. How’s a responsible parent to know which Internet-connected toys are safe, and which ones are the broken toys?

“They’re all bad,” said Josh Corman, an Internet of Things security expert and parent who wants government and corporations to take a more active role in safeguarding customer data and consumer devices with his “I am the Cavalry” initiative. “And they’re all going to be bad because we haven’t made it clear what the stakes of connectivity are.”

Toymakers have not accounted well for themselves on that front. Barbie and shelfmate competitor My Friend Cayla, along with skateboards, remote-control cars, drones, Hello Kitty, and VTech Kids’ plethora of toys are just some of the Internet-connected playthings that have recently been hacked.

5 tech toys to avoid this holiday season

While Corman and others like him scramble to get regulatory agencies to pay attention to the risks of adding Internet abilities to everything from cars and pacemakers to tea kettles and door locks, toys fall into a sort of no man’s land. There’s no seal of approval for Internet-connected toys, and while there are laws governing how safe a toy is physically, those rules don’t protect kids and parents from how it connects to the Internet or what the toy manufacturer does with their data.

As popular as these toys are—the VTech hack at the end of November has affected more than 4.8 million parents and more than 6.3 million kids—toymakers like Barbie’s Mattel are looking to new tech to boost sales. Global Barbie sales were down 15 percent in the first 10 months of 2015, compared to the previous year.

VTech Kids spokeswoman Susan Murphy declined to comment, only pointing to the company’s FAQ on the breach.

Mattel did not respond to a request for comment.

“Assuming that a company is safe until they prove themselves unsafe is not the right way to look at it.” — Chris Wysopal, CTO and co-founder, software security evaluation firm Veracode

“The problem with Internet of Things kids’ toys is that they’re pretty low-margin,” said Tod Beardsley, a security expert who runs the Metasploit project at Rapid7, a program to help other security researchers discover vulnerabilities. “They may even be loss leaders for other things the company may sell. So if you have a security program, that starts to eat into that very thin margin.”

How parents can evaluate toys

Despite legitimate concerns over the proven riskiness of Internet-connected toys, parents can take steps to ensure that the toys they’re buying are at least slightly safer than the rest. You can’t just trust a toymaker, says Chris Wysopal, chief technology officer and co-founder of software security evaluation firm Veracode.

“Assuming that a company is safe until they prove themselves unsafe is not the right way to look at it,” he says. Instead, parents should look for toys that connect only over Bluetooth, or at least allow you to switch off the Wi-Fi connection, he says. It’s important to be wary of toys that record and broadcast video and audio, especially over Wi-Fi.

And although Bluetooth is safer against hacks than Wi-Fi because it facilitates connections only to nearby devices, it’s not impervious to the bad guys. It’s often built into devices without proper security protocol, says Wysopal.

“You have to look at the security track record of providers,” he says. Companies with proven track records, such as Apple and Google, are generally better with security and security updates than companies with no history of safe practices, he explained.

The missing regulatory piece

The challenge is that no single regulatory agency keeps tabs on Internet-connected kids’ toys. The federal Consumer Protection and Safety Commission, which normally holds jurisdiction over toys and more than 10,000 other products, denied that it can regulate Internet-connected toys.

“It’s a really important issue, but it actually does not fall in the domain of what the CPSC does,” spokesman Scott Wolfson says. “Our mission is protecting consumers from unreasonable risk of physical harm.” That covers lead paint and potential choking hazards, but not your child’s personally identifiable information.

States known for aggressive consumer protection said they are keeping tabs on the VTech breach. Representatives of the New York and Connecticut attorneys general declined to comment on the VTech case or toy breaches in general.

How toymakers can improve

Some hacks against Internet-connected toys can be frivolous, but others are serious business. VTech Kids’ login portal is still offline, weeks after being taken down in an effort to protect VTech customers.

Security researcher Troy Hunt, who has been involved with the VTech hack investigation since the breach was first discovered, says makers of Internet-connected toys are collecting too much data on their customers and their children, and aren’t paying enough attention to device or site security. He also says they aren’t hiring enough “competent” security specialists.

As for parents who tend to make product judgments and purchases “based on content and brand,” Hunt says, recent toy security “history has shown that’s no way to make a call.”