Disturbing Children Toys Are Going Too Far: "This is wrong on so many levels"
Christmas is right around the corner and parents are looking for the perfect gift for their children. There’s an endless supply to choose from, but high tech toys are all the rage. They talk . . . They listen . . . (Girl) Hello Dreamhouse! Let’s bake some cookies! (Dreamhouse) Yum, let’s bake some cookies! They are your companions . . . Get Up & GoGo is a sweet puppy that just loves to go for walks and play with you like a real puppy! And some even have magical powers! Mix your potion, make your pet! What’s inside? Woah! Aww, cute! But this holiday season, you’ll want to take a second look . . .
With a doll that might be storing kids’ secrets . . . (Doll) I’m in charge now. You might think I’m just a sweet toy. A wand that lives up to its sinister name . . .
*evil laughing* And a “child friendly” tablet that’s made valuable information vulnerable . . . It appears not all these toys are safe for play. Which toys should be on your “do not buy” list this Christmas? This tablet can do it all . . . And as hackers have discovered, even some things it's not designed to do. But when an app on the tablet provides an in for a massive hack . . . The reputation the company is built on might never recover.
VTech—it’s a company that’s been synonymous with childhood play for the past 45 years. Sure, the Hong Kong based brand also makes cordless phones and baby monitors, but tech centric toys is and always has been, VTech claim to fame. Whether it's a light up drum set, a color changing flashlight or a kid friendly laptop, the technology VTech adds to children's toys is a twist that makes playtime all the more magical.
For many, the company's interactive and confidence building gadgets are the perfect way to introduce children to the ever evolving world of technology. But is VTech really setting children up for their future or robbing them of one? In 2013, VTech introduced a new toy to their line. This is the InnoTab 3S from VTech. The Innotab 3S was an iPad alternative built around a child's developmental needs.
This is an age-appropriate way for kids three to nine to have their own tablet just like mom and dad. And with safe web browsing, educational apps and a competitive price of $99.99, the tablet was just as likely to appeal to parents as children.
The biggest difference between the 3S and previous models was the introduction of an app called Kid Connect that allowed kids to communicate through the tablet to parents and friends. Nothing takes the place of the time you and your child spend together, but there is a way to stay connected with each other, sharing feelings, Intimacies and laughter, even when you are away. To use this feature, parents had to register their account by providing some personal information on themselves and their child.
With that, parents could stay updated on their children through text and voice messages. I love you, Mom. I love you too. But was quick connect really as safe as people believed? It lets kids feel like grownups as they safely browse the internet and text with friends and family.
Early reviews of the Innotab 3S were relatively positive for the consensus that the tablet was no doubt an upgrade from the previous model in terms of controls and capabilities. There were some issues with performance speed and functionality, but children seem to enjoy the tablet and reviewers were impressed by the apps, especially Kid Connect. And there was another demographic that was hyping up the Innotab Hackers.
Hackers were dedicated to finding exploits in VTech’s tablets. What exactly is an exploit? Well, in computer security lingo And what exactly was the will of these hackers? Well, mainly to play video games on the children's tablet. One hacker turned the Innotab into a device that could run Linux apps. From there, they were able to install vintage games like Doom and River Raid onto the device. Considering the tablet was “not exactly a powerhouse,” these hacks were more a test of skill than a game changer alternative for those who couldn't afford high end gaming tablets.
Still, a community of gamers was forged around the Innotab. Forums like Spiffy Hacks were full of threads where users discussed various ways to hack the tablet. But one hacker was about to take things to the next level. Slipstream was surfing the web when he came across a thread of people discussing ways to hack the Innotab. One piece of information a user mentioned stuck out to the security researcher. VTech used one web service to manage all products.
With this knowledge, Slipstream found one of the company's websites that had a login section. He used SQL injection, an old school hacking technique, and he was in. With the same level of ease, Slipstream obtained “root,” a word for access with full authorization or control of a server.
AKA total virtual freedom. The hacker could now do whatever he wanted. With this newfound power, Slipstream snooped through the VTech servers until he hit a motherlode of information. This is when the hacker said he “realized how serious” the nature of what he'd been able to uncover so easily was. He decided to go to a journalist with the information rather than VTech, a company he believed would never listen and possibly even attempt to cover the breach up. The hacker reached out to Lorenzo Franceschi-Bicchierai, a journalist who writes for Vice's tech division Motherboard.
Slipstream told Lorenzo VTech was guilty of one major online crime— ”sh—ty security.” To prove this, he shared with the journalist a portion of data that had been all too easy to steal. he told Lorenzo.
But what exactly had Slipstream found on VTech servers that had the hacker running to the media? Well, remember that private information VTech users gave Kid Connect? Turned out it wasn't so private after all. The addresses, passwords, personal chats, audio recordings, photos, and other identifying information of not only millions of parents, but hundreds of thousands of kids was sitting in VTech’s database, waiting for anyone with basic hacking knowledge to gain access. Luckily, it seemed Slipstream had no grand schemes for the data. He told Motherboard that publishing or selling the information “was never his intention.” But until the security was fixed, the way VTech had attempted to hide user information was worrying. Using substandard cryptography to hide the data was like using duct tape to seal a vault, more of an invitation to look inside than adequate protection.
According to Slipstream, someone with darker motives could just as easily have access. The same data, he had. The information VTech was storing also seemed to violate COPPA, the Children's Online Privacy Protection Rule.
According to COPPA, any company collecting information on children is responsible for making parents aware of what information is being collected. And verifiable parental consent, with limited exceptions, is also needed before collecting personal information online from children. And according to Section 312.8, VTech was responsible for protecting the confidentiality, security and integrity of personal information collected from children by implementing and maintaining reasonable security procedures. In all these areas, it seemed VTech had failed their customers, but this was far from the first time a toy had done more harm to little ones than good.
Meet Vivid Toy Group's doll of the future. (Girl) What’s your name? (Cayla) My name’s Cayla and yours is Abby. (Girl 2) She understands you? Introduced in November 2014, as a step towards new frontiers in playtime. My Friend Cayla was able to answer almost any question, making her “the smartest friend children would ever have.” (Girl) What's this? (Cayla) The Eiffel Tower in France. The singing, talking and always listening.
Doll could tell stories, take part in games and share photos. “She's not just a doll,” Her makers at Genesis Toys insisted, “she's a real friend!” But with this many capabilities, was Cayla a doll out of a daydream or a nightmare? According to the discoveries of security researcher Ken Munro, Cayla was not as innocent as she appeared. The doll used her necklace “listening device” to answer questions using Bluetooth. Essentially this gave Cayla access to any information available on the Internet, but parents fear not, security features prevented Cayla from saying anything inappropriate. Except, of course, if she were hacked.
A cyber attack Ken Munro claimed the doll was vulnerable to. According to Red Siege’s Tim Medin, the only thing that stood between a hacker and the doll was “that only one device [could] be connected at a time.” This meant the moment someone disconnected their Bluetooth from Cayla, an “opportunistic bad guy” could strike. And although Tim found Cayla did a “good job of censoring bad words,” through the doll speakers, a hacker could “play ANY sound” and use the doll as a microphone. “Anyone within range can use this toy to listen to and communicate with the kiddo.”
Hackers in range could also use the doll to record audio. When Cayla recorded, Tim noted that “her necklace lit up, but who was going to look at that?” he asked. But hackers weren't the only ones capable of eavesdrop.
So were her manufacturers. Any private conversations held between Doll and child could “be sent to the toy makers.” Claire Gartland, the director of the Washington nonprofit Consumer Privacy Project, told NPR, breaking the Sacred Covenant between Toy and Child, Cayla could send recordings of private conversations to Genesis, as well as the voice recognition company Nuance, which “also [had] a database used by law enforcement and military and intelligence agencies that [matched] voice prints.” Similar to VTech, “parents were not being sufficiently notified” or consenting to what Cayla was doing, meaning the doll also flew in the face of COPPA. One country decided to take matters into their own hands. In Germany, where owning or selling a banned surveillance device can lead to jail time of up to two years, a warning was issued by the company's federal network agency telling parents to destroy the dolls.
It's likely Cayla's makers never planned for the toy to cause this mayhem. But some toymakers seem to set out with the intention to disturb parents and children. In early November 2014, The shelves of a Dayton, Ohio dollar store were filled with the typical discounted knickknacks. But in the toy section, amidst the Barbies, Tiaras and Barbie dolls, there was something new. A pink princess wand decorated with flower petals . . .
The packaging promises fairies and, “wonderful music.” The only hint of the toy’s true nature was in the ominous name Evilstick. Not noticing the name Nicole Allen picked up the toy for her two-year-old daughter. But when she peel back the foil on the wand, the mother was in for a shocking surprise. The children's toy contained a graphic image of a woman self-harming.
As for that “wonderful music” the package advertised. It appeared the wants manufacturer left both “wonderful” and “music” up to interpretation. *evil laughter* Nicole didn't see any humor in the toy.
I'm outraged over it. I want to know how they think that that is suitable for a child. But store owner Amar Moustafa claimed the toy was just living up to its name. The name on it, it says: Evilstick. Amar believed it was up to the parents to inspect the toy before giving it to their child.
And although packaging said the toy was for ages three and up, Amar believed it was best to wait a couple of years before getting a child an Evilstick of their own. For a five, six, seven, ten years old. I mean, they see that on TV every day. But customers were not pleased at the idea of a child being exposed to the graphic content. They don't want to think about little girls picking that up and thinking this is normal, you know, or funny or interesting.
Or any of those things. After hearing news coverage of the Evilstick, local Dayton resident Matt Clark decided to buy one for himself. It took a while for him to find the version that had parents so concerned.
In fact, most of the images in Evilsticks weren't particularly menacing. he told Mental Floss. Eventually, he found the evil stick with the now infamous image. He posted a short YouTube video showing off his new prized possession. *evil laughing* By the next morning, Matt’s 10-second upload titled: “BEHOLD THE EVILSTICK”, had 100,000 views.
The comment section became a forum for viewers and Clark to voice their “theories about the toys origins.” After all, who could be responsible for such a strange toy? Clark and viewers traced the image in the wand back to horror photographer Butcher Ludwig’s 2002 “Macabre Muses” series. The image “depicted a vampire ready to feast on her own [vital fluids] for sustenance.” The artist had not given permission for toy manufacturers to use the image and had definitely not given permission to them to add red “demonic eyes” to the photograph. Although the images origins had been a dead end, a barcode on the toys packaging traced to a factory in China.
Clark contacted the factory and bingo. They said they had made the toy. His next step was to talk to someone who played a part in creating the toy. Clark posted that he was on the verge of finding the truth . . . But then, he went silent. The YouTuber had virtually disappeared.
Among his viewers, a conspiracy grew that Clark had fallen victim to the Evilstick’s curse. What really happened was far less mystifying. Clark simply didn’t have an update. The factory had stopped responding, leaving the mystery around the toy unanswered. He admitted to Mental Floss that the wild speculation surrounding his departure may have also fueled his decision to remain silent.
Clark told the publication. He said he has since sold the Evilstick to “a buyer in Canada.” “Obviously, she’s been cursed too,” he said. But the fears the VTech breach would soon unlock went beyond any conspiracies. After Motherboard received the data from Slipstream, they enlisted the expertize of Troy Hunt to review the data Slipstream had sent them.
Being the founder of Have I Been Pwned, a website that allows users to enter their email addresses or phone number to see if their information was part of a data breach, Troy Hunt was just a security expert the publication needed. With the data provided, Troy was able to link over 4 million emails with their passwords. Security questions were also available, meaning passwords could be reset for emails “or even an online banking account.” But it was the way the data could be connected to children that really worried Troy, as the security expert, explained on his blog. Have I Been Pwned dubbed the VTech hack as the “fourth largest consumer data breach to date.” When Motherboard and Troy contacted the customers to make them aware of the breach, there were questions over why the company needed to store the information in the first place.
a father told the publication. Another parent was also “shocked” that her data was breached on a supposedly “child friendly website.” Motherboard alerted VTech to the breach on November 24th, 2015, a situation the company admitted they had been unaware of until receiving the message ten days after the hack happened. The company released a statement on November 27. They acknowledged the information that had been exposed, but emphasized that credit card information and personal identification numbers had not been part of the breach.
In the future, the company promised to “strengthen [their] Learning Lodge database security” as a way “to ensure against any such incidents in the future.” Troy Hunt was not impressed with VTech pledge to increase security. he wrote on his blog.
Following the publication of the Motherboard article. VTech updated their customers on the cyber attack. The breach hadn't been as bad as Motherboard reported . . . It had been worse. Over 4 million parent accounts had been breached. And despite earlier reporting that you were kids, profiles had been involved.
VTech revealed over 6 million had been compromised. This, The Washington Post reported, made the breach “one of the largest targeting children” ever. CNET senior editor, Dan Ackerman, told CBS News this was what happened when toy companies ventured into “sophisticated technology.” “They’re not digital native companies so they may not have the security expertise needed to secure their databases. And this was a fairly simple hack,” Dan told the publication.
And although Slipstream claimed to have noble intentions for his hacking of the company, telling Motherboard it “[made him] sick that he was able to get all this stuff,” and that “VTech should have the book thrown at them.” Security experts weren't convinced that data that could be worth millions would go unused. “I wouldn't trust him,” Troy Hunt told CNBC. “I don't believe the word of anyone who compromises a network,” said cybersecurity officer Justin Harvey. Whatever his motivations had been. Slipstream was about to face repercussions.
In December 2015, the hacker was arrested in Berkshire, England. His electronics were seized and he was arrested for “computer hacking offenses” that violated sections 1 and 2 of the UK's Computer Misuse Act 1990, which included: By 2019, the then 24 year old's identity was revealed as Zammins Clark. The security researcher pleaded guilty to hacking two major networks, Microsoft and Nintendo.
In the end, Clark was sentenced to 15 months. But due to his autism, that could put him at risk of prison violence. The sentence was suspended for 18 months, meaning he wouldn't go to prison unless he re-offended. But what about the offense? He was initially arrested over? Hacking VTech.
Although Slipstream took responsibility for the breach, the company didn't end up prosecuting him. After all, VTech had already dealt with their own legal consequences. The Federal Trade Commission found the company “had broken U.S. laws governing the way data about children is gathered” and “failed to take reasonable steps to secure that data.” The company was fined $650,000 for their failure “to protect the privacy of the children using its gadgets.”
After their public shaming, it seemed that VTech was a changed company. They pledged their commitment to COPPA laws and increased security. To prove this to their customers. They also promised to go through “regular independent data and privacy audits for the next 20 years.” All of this made it sound like the company was determined to do better.
But were the text promises real or just for appearances? According to VTech, parents should take “responsibility for future breaches.” A VTech spokesperson claimed that although the company was working to improve their security, “no company that [operated] online [could] provide a 100% guarantee that it [wouldn't] be hacked.” Troy Hunt was disappointed by the company's decision. “People don't even read these things,” he wrote in the blog post. VTech felt it was too much effort to protect their users data. Troy advised the company to at least “put that on the box and allow consumers to consciously take their chances rather than implicitly opting into the ‘zero accountability’ clause.”
What was most dangerous about the information VTech was storing still might not be immediately apparent to most. Names . . . genders . . . birthdays Sure, it's personal information, but it's not necessarily a secret. In fact, we often share these pieces of information willingly in daily conversations, sign up sheets and online profiles. But when these identifiers were connected and added to the further information from the breach.
Full profiles of parents and more importantly, children could be created. This information could then be posted or sold in underground markets, with information on children being the most valuable. Tom Kellerman, the Trend Micro Inc’s chief cybersecurity officer, explained to Reuters why children are more appealing targets.
And when a child's identity is stolen, so is their future. In fact, research from a 2011 study at Carnegie Mellon University found the stolen Social Security numbers of children have a 10 percent likelihood of being attached to fraudulent activity. This number might not seem huge, but it's 51 times higher than adults. Failed background checks, credit debt, and even arrest can follow a child into adulthood.
In some cases, stolen information can also result in a virtual kidnaping. The director of research at Pindrop Security, David Dewey, explained the concept to CTV News. And when voice recordings are also stolen, these calls can be all the more convincing. Children don't have a choice over how secure their data is.
Companies like VTech do and tech based play is only becoming more popular. Toys that require user data are predicted by Juniper Research to grow “58 percent annually” As children's toy companies continue to venture into advanced technology, inexperience is the shared trait that might put the security of children at risk. But in a world where smart toys use their capabilities to spy and a princess wand can leave people traumatized, how can parents possibly keep their children safe? Research should be a parents first step. For smart toys, this unfortunately involves actually reading those pesky user manuals and terms and conditions to understand the information the device collects. Checking that the toy is COPPA approved is also a good rule of thumb. Sites like www.safekids.org
help parents keep their fingers on the pulse by compiling monthly list of child related recalls. But knockoff and counterfeit toys pose their own risk. These toys often dodge the testing reputable brands go through to meet safety standards, causing a dip in quality that isn't only aesthetic but possibly toxic. If you're unsure if what a site is selling is a counterfeit toy, look at the customer feedback and photos for red flags. Misspellings are another tip off that a toy isn't from the reputable brand it's attempting to emulate. Our lives are intertwined with our data . . .
And as technology expands, this connection will intensify, even for children. This is an age-appropriate way for kids three to nine to have their own tablet just like mom and dad. Now the question becomes, will companies be held accountable for the mistakes they make while technologizing play? Or will it become a parent’s responsibility to vet their child’s toys?