Hacking children’s toys may not seem like a topic for a blog that focuses on security in the workplace or professional environments, but this story isn’t just about toys. It’s about the confluence of technologies and how security isn’t keeping up.
The Internet of Things has changed everything. So has cloud computing. Companies remain connected to devices and products after the sale. So when USA Today reports that "sensitive data including photos of kids and their parents along with ‘a year's worth of chat logs’ were impacted during a breach of a VTech database in November," we have to understand it isn't about the toys or the products themselves but that consumers don't realize how much control the company retains. This reminds me a lot of the Sony breach, when the information of its gaming system users was compromised, actually. Consumer security is in the hands of companies, and frankly, companies are blowing it.
According to eWeek, the folks at VTech had to admit that they failed in their security efforts in their databases. The article went on to explain:
The database weakness is related to a class of security vulnerability known as SQL injection. SQL injection is not a new class of vulnerability as it was first publicly discussed back in 1998 by security researcher Jeff Forristal. In a 2013 video interview, Forristal said he wasn't surprised that SQL injection is still a common vulnerability that is widely exploited.
This statement makes me wonder how many other products have similar hidden security threats, ones that the consumer may never know exist. I bet it never dawned on the parents that their children’s photos and personal information was at risk this way. As the Internet of Things becomes more prevalent, I’d expect to hear about more breaches like this. The VTech breach, however, raises alarm because it does involve the most vulnerable among us, as Carl Wright, general manager of TrapX Security, told me in an email:
It hits home for all of us when cyber attackers target our children's data and profiles. These criminals can breach networks such as VTech's and can operate invisibly, often for months, before they are detected. Corporations must move quickly to adopt new cyber defense strategies that assume attackers are already inside their networks. We must find them before they cause damage or steal confidential data.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba