Skip to content ↓ | Skip to navigation ↓

As Christmas approaches, like most parents and grandparents, I set off shopping with my wife to seek out suitable presents to drop into Santa’s sack for the festive season of giving.

My granddaughter loves nothing more than to get her little hands on an iPad (on which she stabs around under supervision) to enjoy some of the rich entertainment hosted on a great thing we take so much for granted – AKA the Internet. It seemed to make perfect sense to locate a child-friendly, and safe tablet with which she could safely entertain herself.

Last Saturday we went to the local toy store. Upon entering the store, one of the very first areas we arrived at was in the form of a mini-person “Tech City” – a display of smart watches and learning devices, amongst which was the answer to our shopping mission: a VTech tablet.

It was a matter of seconds before we were approached by a salesman who told us that he had a VTech tablet at home for his two boys, and went on to share his product knowledge re the onboard safety feature. Our salesman also went to great lengths to drive home the fact that this tech-toy had internet access, but had a host of on-tablet security features to keep the little one away from the dark places that the Internet can offer up.

Satisfied with our find, we set off in the direction of the till to pay for this safe mini-computer.

Upon arriving home, I placed our purchase in Santa’s Little Grotto. Now as spooky as it may seem, it was at this juncture when I decided to do a little casual work, and to take a look at the security events and breaches which had occurred in the month of November 2015 – and there it was, ‘VTech Database hacked,’ a position which is now exacerbated with the implication of unauthorised disclosure of personal pictures of children, with a wider impact on no less than a potential of 5 million users!

Now don’t get me wrong here, as I am not actually that excited about the actual hack against VTech, and have no intention of bashing them, as I am suffering from numbness of such regular disclosures which would seem to be matters of BAU (Business as Usual).

However, there are a number of things here which do get my goat, as two of them are conjoined in one place. One of these issues is that of insecurity and the other is online child safety.

As you may have concluded by now, without hesitation, I travelled back to the store, got a refund and asked to see the manager to share a few home truths relating to the hack, which had occurred circa mid-November, and the potential to expose images of children to a set of creepy eyes of any perverse onlooker to exploit the IoT (Internet-of-Toys) hand-held pad.

However, it would seem that that this particular store, and the local branch, had received no notification or direction from their companies HQ, and thus, as far as they were concerned, this was a safe product. My response here was that until such time this matter is confirmed/concluded, at best these toys should be removed from sale, as they are by implication exposing children to the potential of online abuse. Or failing that, the store should at least appraise the buying public of the potential security implications to the young users.

On December 2nd,  I returned to the toy store to see if my words had had any effect on the sale of these devices – and I found that, as you can see below, they were still on offer, and had no security notification, or advice to warn of the known security issues.

VTechSeeing that my words had not found any ground upon which to root, I again asked to see the manager. On this occasion, I met with a very amiable lady who listened with care and took very careful note of what I was saying. She did, however, add that no information had been logged or shared from the previous day, so those seeds seem to have fallen on stony ground.

However, whilst in conversation, one of the staff in close proximity commented that they were aware of this, as they had picked it up from the radio. The good news is that upon leaving the outlet, the manager in question assured me that she would be contacting her office to raise this matter with them – so hopefully we will see some action.

It is my firm opinion that given the known hack which has implicated the registered users, and the fact that such access to supposedly secured data could allow the wrong sort of person to locate the addresses and details of children sends a shiver down my spine.

And this, let alone the implicit creepy dangers of having some connected weirdo viewing personal images of a young person – or possibly invoking the camera to facilitate some real-time, face-to-face time really does send the message that action must be taken, and taken now to notify the buyer-beware public.

But here the biggest concern of all is that of public disclosure, and corporate responsibilities. Am I wrong to expect that VTech would have notified all of their retailing outlets to make them aware of the security invasion and compromise of an established 5 million users – and if they have, then what has gone wrong?

But moreover, if that action was taken, then should I expect that, at the very least, anyone purchasing such an item which is known to be associated with Internet-facing insecurities should be alerted when they are receiving the hard sell from the company sale teams.

As we live in the age of known insecurity, and in an age which has uncovered an unprecedented amount of online grooming, and the associated surprising growth in the area of paedophilia, am I wrong to expect that, in cases like this, the only correct course of action is to remove such unsafe toys from the shelves before they find their way into the innocent hands of the awaiting children, before we see them exploited in anger by some awaiting perpetrator?

 

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Title image courtesy of ShutterStock

Hacking Point of Sale
  • John Walker

    FYI – as the author, I did get one comment back directly that
    the content was disagreed with. I do always respect the opinion of others, however,
    my only response here can be that ‘every’ area in this article is based on fact, hands-on, first hand interviews, and meeting with the stores in questions – so it is not
    a fabrication of scare mongering, but based on the realities of the dark side
    of our real world – which is where I live.

  • Brady Chatfield

    Great post, but scary info! Thanks John. My company is working on a device that plugs directly into your home router, and cannot only block waht’s coming in, but provide parents reports on what images/videos are going OUT of your home (i.e. what a child/device is sending/uploading). It’s critical that we, as parents, have better tools. Knowledge is power!