(Update adds recent Google action regarding the removal of malicious apps from its Google Play Store)
Security researcher Chris Vickery on December 19, 2015 claimed to discover a leaked database of more than 3.3 million user accounts of Sanriotown.com, and other Sanrio-owned websites like hellokitty.com and mymelody.com. Sanrio is the Tokyo-based owner of the Hello Kitty toy and accessories franchise, and its customers include both children and adults.
The incident is similar to a November 2015 hack against servers linked to Hong Kong-based electronic toy maker VTech; one of the largest data breaches recorded against a toy company. VTech admitted on November 14 there was “unauthorized access” to its database server that stored information from its Learning Lodge app. Details of more than 10 million customer accounts worldwide – including 6.3 million child user profiles – were affected by the data breach.
In both cases, the compromised details included customer names, email addresses, passwords, IP addresses, mailing addresses, and download histories. It is unclear if any financial records were also stolen. At least one person has reportedly been detained in connection with the VTech hack by authorities in the United Kingdom. In the VTech case, an unidentified hacker claimed in an interview that pictures of children were stolen using the devices’ cameras. However, this has not yet been confirmed. At least two U.S. state governments have launched a probe into the incident, along with authorities in Hong Kong.
This serves as a reminder of some of the serious challenges posed by smart toys, and other children’s devices that are connected to the internet and susceptible to hacking.
Smart toys: a hacker’s dream
Data security experts have long warned of the potential hacking vulnerabilities of smart toys, among other internet connected devices. Younger children are an attractive target for hackers as they increasingly have a larger digital presence, often starting at birth with an announcement on social media. Profiles of children are particularly useful for identity thieves, and due to the absence of a credit history a financial crime involving a child’s details may take several years to be detected. Hackers also engage in cyber bullying among peers and online competitors.
More sinister motives for such crimes include child trafficking and online sexual abuse. A related worse-case scenario is the increasing vulnerability of children to kidnapping, as they may be tracked through such devices. Voice playback features can be used to conduct “virtual kidnappings” – in which the criminal calls a parent and uses the voice information to convince them that the child has been kidnapped, and demand a ransom. Tangentially, security expert Matt Jakubowski alleged that Mattel’s WiFi enabled Hello Barbie doll can be turned into a surveillance device without the owner’s knowledge. Jakubowski claims the wireless connection allows easy access to the doll’s system information, account information, stored audio files, and direct access to the microphone.
Sinister design
Innovative methods of using smart toys for criminal activities are not new. According to Chad Larsen, Director of Technical Services at Leviathan Security Group, a few years ago a toy called Robio – an internet-connected robot, was hacked to take pictures of the homeowner’s keys. The images were sent to an internet service that made perfect replicas.
In another incident involving smart toys, security researcher Samy Kamkar claimed in April 2015 to have created a pocket sized tool called OpenSesame, which could open any garage door using an insecure “fixed code” system for its wireless communication with a remote. The device was made using a discontinued toy called the IM-ME, manufactured by Mattel, which was altered with a cheap antennae and an open source hardware attachment.
A separate concern for consumers is that a hacked toy could also be used to gain access to parents or other family members’ user information via a shared wireless internet connection. For example, Quadcopters, a drone popular among older children and remote control enthusiasts, was reportedly infected with malware that caused the device to malfunction. Researchers claim that similar malware may also be used to tap into wireless networks and hack other connected devices including computers and mobile phones. The risk is further enhanced when toys are connected to smartphones, with hackers then able to gain root access to the phone’s operating system to disable it and steal information.
Business impact
According to market research firm Interpret, in July 2014 the market for smart toys had grown to 72 million worldwide, with key segments emerging in the United States, Japan, Russia, and China. In November 2015, Juniper Research estimated that that the smart toy industry will reach USD 2.8 billion (EUR 2.56 billion) in hardware and app content revenue.
These latest hacking incidents are likely to cause concern among parents and other consumers about the use of smart toys, and their ability to safely store information. While several toy manufacturers including Disney and Lego are bridging the physical-digital divide and leveraging the ability of devices to interact with each other, major barriers to the mass manufacturing of such toys are the operational and retail costs involved. Price is a hurdle for customers, and as further security research into cloud servers and interactive “intelligent” toys occurs in the short-term, this may result in a further price increases.
In addition to the negative brand imaging for companies exposed to hacking, they may also be involved in potentially expensive litigation, and scrutiny before expanding into newer markets. VTech for example is a relatively small player with a holding of about HKD 21.9 billion (USD 2.8 billion), and its stocks reportedly plummeted over 20% in the aftermath of the hacking scandal. This demonstrates the significant risk for small-scale manufacturers in the smart toy industry.
Another corollary of toys being used for hacking involves state-sponsored spying. Security experts have warned that governments may also tap into toys to monitor suspects. In the United Kingdom, it is speculated that the upcoming investigatory powers bill may require tech manufacturers to help the government hack into suspected terrorist devices, in conjunction with a warrant. Backlash against support for state spying could involve digital attacks against the manufacturer. An example is the hack against the Angry Birds app maker Rovio in January 2014, following unconfirmed allegations that the developer assisted the U.S. National Security Agency in gathering users’ personal data. Furthermore, suspected collaboration with governments could result in manufacturers being blacklisted in markets under strict political control, or restrictions in countries where political ties are strained.
Recommendations
Toy manufacturers, especially those with products that can connect to servers, are encouraged to conduct a thorough information security audit of their systems and address any potential loopholes immediately. An added precaution for parents is to ensure that children’s devices follow the same security protocols as tablets, smartphones, game consoles, smart watches, and other portable electronic devices, to ensure a safe operating environment. Among these measures, consumers are encouraged to actively upgrade firewall and anti-virus settings across their internet connected devices. If smart toys can be used to hack into other devices, the process can work in the opposite direction.
Clients who suspect their data has been compromised should ensure that the same passwords and other confidential information are not used on other websites, especially those related to financial matters, email, or social media. In the event of an overlap, it is advisable to change passwords immediately. Clients should also engage with financial institutions to include a two layer verification process to prevent security breaches. When possible, do not use the same network for personal and work related activities. Victims of cyber-crime are advised to have the breach investigated by a professional, and clients with access to critical information should keep their IT security teams abreast of the most recent developments.
UPDATE: Google Play removes 13 Brain Test malware-affected apps
According to media reports on January 10, 2016 Google has removed 13 malicious apps from its Google Play Store after Lookout, a mobile cybersecurity firm, found the Brain Test strain of malware had returned. The infected apps reportedly removed from the Play Store are Cake Blast, Jump Planet, Honey Comb, Crazy Block, Crazy Jelly, Tiny Puzzle, Ninja Hook, Piggy Jump, Just Fire, Eat Bubble, Hit Planet, Cake Tower, and Drag Box. The apps were downloaded by the hundreds of thousands with on average a four-star review rating. Researchers at Lookout found that apps riddled with variants of the Brain Test malware attempted to gain root access. Performing a factory reset is not enough to remove the app from the compromised device, as the process does not clear the system partition. The first two Brain Test malware instances were discovered by Check Point in September 2015. According to Lookout, the recent strain of malware was discovered in October and was similar to ones found by Check Point.
Analyst Comment: Pinkerton recommends users with the above Android apps follow the steps recommended by Lookout. A backup of all important data on the Android device is recommended before initiating the process. According to the company, the best solution at hand would be to re-flash a read-only memory (ROM) supplied by the manufacturer, as a factory reset would not be effective in removing the malware on an Android device. Pinkerton strongly discourages Android users from downloading apps from unknown developers. Most importantly, Pinkerton suggests that you should never keep any confidential data on your personal mobile device.
