December 7, 2015 / by Rayne

 

Internet of Things: Now, with ‘Breachable’ Kids Connect and ‘Hackable’ Barbie

HelloBarbie

[graphic: Hello Barbie via Mattel’s website]

The Internet of Things (IoT) already includes refrigerators, televisions, slow cookers, automobiles, you name it. Most of these items have already experienced security problems, whether personal information leaks, or manipulative hacking.

Now the IoT includes toys — and wow, what a surprise! They’re riddled with privacy and security problems, too.

Like VTech’s privacy breach, exposing data for more than 6 million children and parents including facial photos and chat logs through its Kids Connect technology. The company’s privacy policy (last archived copy) indicated communications would be encrypted, but the encryption proved whisper thin.

Or Mattel’s Hello Barbie, its Wi-Fi enabled communications at risk for hacking and unauthorized surveillance. The flaws include this doll’s ability to connect to any Wi-Fi network named “Barbie” — it was absolutely brain-dead easy to spoof and begin snooping on anything this doll could “hear.”

It’s amazing these manufacturers ever thought these toys were appropriate for the marketplace, given their target audience. In VTech’s case, it appears to be nearly all ages (its Android app on Google Play is unrated), and in the case of Mattel’s Hello Barbie, it’s primarily girls ages 6-15.

These devices are especially iffy since they tippy-toe along the edge of the Children’s Online Privacy Protection Act of 1998 (a.k.a. COPPA, 15 U.S.C. 6501–6505).

Parents share much of the blame, too. Most have no clue what or how federal law covers children’s internet use under COPPA, or requirements under the Children’s Internet Protection Act (a.k.a. CIPA, 47 CFR 54.520). Nor do the parents who buy these devices appear to grasp this basic fact: any network-mediated or Wi-Fi toy, apart from the obvious cellphone/tablet/PC, is at implicit risk for leaking personal data or hackable. How are these devices risking exposure of children’s data, including their activities and location, age-appropriate toys?

This piece at Computerworld has a few helpful suggestions. In my opinion, the IoT doesn’t belong in your kids’ toybox until your kids are old enough to understand and manage personal digital information security to use the internet safely.

Frankly, many parents aren’t ready for safe internet use.

Copyright © 2015 emptywheel. All rights reserved.
Originally Posted @ https://www.emptywheel.net/2015/12/07/internet-of-things-now-with-breachable-connect-and-hackable-doll/