Experts offer guidance on how to navigate the world of connected toys.
VTech calls it “the smartest watch for kids.” The Kidizoom Smartwatch DX promises educational fun, with a video camera and motion sensor that can make the watch tweet like a bird when your child flaps his or her arms.
But the watch may also have connected your children with attackers, who accessed their names, pictures and birth dates, according to VTech’s announcement about its massive breach that affected more than six million children around the world.
Even more, VTech said parents’ accounts may have been accessed, too, including names, secret questions and answers, and encrypted passwords.
“The breach underscores how digital products aimed at kids often have far weaker security than other computer products, and may pose a threat to a booming industry,” reported Reuters.
The article cited information from Juniper Research saying shipments of toys that connect to the Internet will rise 200% over the next five years, and toys that gather data on the user will grow by almost 60% each year.
What’s a parent to do?
Cybersecurity experts recommend you tread carefully, and analyze each interaction on a case-by-case basis.
“My recommendation as a parent is to set up aliases for your kids for all but the most trusted sites until they are at an age where they can reasonably manage their own identity,” said Patrick C. Miller, managing partner at Archer Security Group.
“Talk about the use of this alias—I call it a ‘spy cover name’ for my two boys—with your kids to help them understand.”
Reuters reports that VTech encouraged buyers of the company’s cameras, watches and tablets to provide names, addresses and birth dates when signing up for accounts where they can download updates, games, books and other content.
“The information is used to identify the customer, market our content and track their downloads,” VTech said on its site.
Parents should consider the location of the toy company, said.Leonard Chamberlin, also with Archer Security Group,
VTech is based in Hong Kong.
“Don’t voluntarily send your or your children’s personal info to a company headquartered in a country that is a known threat actor!” Chamberlin said. “According to the press, the Chinese are doing a good enough job hacking us without us voluntarily handing over our personal info!”
VTech did not take common steps to protect customer passwords in the event of a breach, the BBC reported.
Rik Ferguson, with the cybersecurity firm Trend Micro, said VTech had not properly scrambled customer passwords in its database and had also stored customers’ security questions and answers in plain text, according to the BBC.
Chamberlin said he understands that some parents will want their kids to have the latest tech toys. But he warned families to be careful.
“There’s a reason why the age limit to sign up for Facebook is 13,” he said. “It’s to protect children from this exact scenario—providing personally identifiable information to commercial websites.”
He recommended parents do research before giving their children’s information to a company selling connected toys.
“There’s always going to be some risk inherent with the use of electronic communications to submit sensitive information,” Chamberlin said. “But to help mitigate that risk, I would suggest making sure the vendor complies with the Children’s Online Privacy Protection Act (COPPA) before submitting any of your children’s info electronically to that vendor.”
Miller said it may be hard for parents to know if criminals actually utilize information from the VTech breach.
“The challenge here will be how to tell if the child’s identity has been used, and for what,” said Miller. “Many adults are monitoring their own credit, whether through services or simple email alerts from their financial institutions. This type of monitoring is far more challenging when it comes to children who have nothing more than a Social Security number.”
More protection for your child
Some states allow you to take steps to protect your child’s identity.
Oregon, for example, allows you to create a protected account for your child with each of the three major reporting agencies, and then put a freeze on the three accounts for about $10 each.
If you check and find your child already has a credit report, that may be a sign that someone has already misused your child’s personal information.