Tag: IoT

Internet of Threats

Internet of Things and Internet of Toys

With the rise of “smart speakers” such as Amazon Echo and Google Home, it was only a matter of time until kids toys would get the “smart treatment”. This is just on niche in the broad field IoT (internet of things); thus, a new IoT emerged, the so-called Internet of Toys.

According to Lanner Electronics

IoT is as much a concept and ideology as it is a technological undertaking. It seeks to take quite literally anything(ergo “thing” in IoT) , i.e printer, coffeemaker, shoes, light-bulbs, and breath new life and purpose into it by applying just the right amount of embedded, networked technology (the internet component in IoT).”

Yes, your read that right,  shoes that are connected to the internet. And that is not all, a short search reveals other “things” that can be connected to internet:

  1. Oven
  2. Plushies for children
  3. Doorbells
  4. Smart locks
  5. Air quality monitor
  6. Blood pressure monitor
  7. Gesture control
  8. Smart Cooker
  9. Smart bed mattress
  10. Kids smart watch
  11. Smart baby monitor

And the list can continue; do those things make their user’s life easier? Of course they do, and I am not saying they are not trying to achieve that. But just try to imagine all the different types of data that they are collecting.

In a recent article, we have talked about how VTech (a toy manufacturer) has settle for $650000 in case that involved breaching COPPA. Furthermore, although this is one of the worse case scenarios, we must remember that information means power. We already give up a lot of our privacy just by using a smartphones. How would a person fell having an IoT device installed in their house; one that is active 27/7, and is passively listening and following each every move that they make.

According to the FTC , VIZIO, which is a popular, high-quality, affordable smart TVs manufacturer had to pay a fine of $2.2 mil. This happen because it was found out that the same TVs were happily tracking what their users were watching. Furthermore, all that data was send back to their servers, and from there it was sold to advertisers.

“According to the complaint, VIZIO touted its “Smart Interactivity” feature that “enables program offers and suggestions” but failed to inform consumers that the settings also enabled the collection of consumers’ viewing data. The complaint alleges that VIZIO’s data tracking—which occurred without viewers’ informed consent—was unfair and deceptive, in violation of the FTC Act and New Jersey consumer protection laws.”

In 2016, The Norwegian Consumer Council said that:

” The internet-connected toys My Friend Cayla and i-Que fail miserably when it comes to safeguarding basic consumer rights, security, and privacy.” 

Furthermore, in their analysis of two IoT Toys, The Consumer Council revealed several serious issues:

Lack of security
With simple steps, anyone can take control of the toys through a mobile phone. This makes it possible to talk and listen through the toy without having physical access to the toy.This lack of security could easily have been prevented, for example by making physical access to the toy required, or by requiring the user to press a button when pairing their phone with the toy.

Illegal user terms
Before using the toy, users must consent to the terms being changed without notice, that personal data can be used for targeted advertising, and that information may be shared with unnamed 3rd parties.This and other discoveries are, in the NCC’s opinion, in breach of the EU Unfair Contract Terms Directive, the EU Data Protection Directive, and possibly the Toy Safety Directive.

Kids’ secrets are shared
Anything the child tells the doll is transferred to the U.S.-based company Nuance Communications, who specialize in speech recognition technologies. The company reserves the right to share this information with other third parties, and to use speech data for a wide variety of purposes.

Kids are subject to hidden marketing
The toys are embedded with pre-programmed phrases, where they endorse different commercial products. For example, Cayla will happily talk about how much she loves different Disney movies. Meanwhile, the app-provider has a commercial relationship with Disney.

Instead of a witty closing remark, I will leave you a list of interesting resources that eal with the Internet of Toys. I do hope they will help you, should you wish to find more about this subject.

Oh, and this awesome Video from Finn Myrstad of the Norwegian Consumer Council.

VTech settles for $650,000

If you fancy technology and you have small children, then you might have heard about the company named VTech Electonics. The main focus of this article is VTechKids.com.

VTech is an electronic toy manufacturer based in Hong Kong, which, according to the FTC, has violated children’s privacy. On the 8th of January, the company agreed to settle and pay a fine of  $650,000. The money should be payed in the following 7 days.

Children’s privacy is ensured by the Children’s Privacy Act published in 1998.

All started in the year 2015 when a data breach leaked personal data of their users and the personal data of their children. According to  Vtech’s 2015 Statement,

“VTech Holdings Limited today announced that an unauthorized party accessed VTech customer data housed on our Learning Lodge app store database on November 14, 2015 HKT. Learning Lodge allows our customers to download apps, learning games, e-books and other educational content to their VTech products.”

[…]

“It is important to note that our customer database does not contain any credit card information and VTech does not process nor store any customer credit card data on the Learning Lodge website. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway.”

On the bright side, in the same statement it has been mentioned that:

“In addition, our customer database does not contain any personal identification data (such as ID card numbers, Social Security numbers or driving license numbers).”

Nevertheless, personal information that included children’s first and last names, email addresses, dates of birth, and genders have been leaked.  Soon after, Motherboard did an interview with the person that stole data ( images, chat logs, and even audio files).

“Frankly, it makes me sick that I was able to get all this stuff.”Motherboard

Soon after the breach, the company altered their TOS:

“You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties.” – VTech TOS – item no.7

Fast forward to 8th of January  2018, and according the FTC order, VTech has settled for a fine of $650.000.

According to the FTC’s complaint, VTech:

“The Complaint charges that Defendants participated in deceptive acts or practices in violation of Section 5 of the FTC Act, 15 U.S.C. § 45, in the making of a deceptive statement relating to their collection, storage, and transmittal of covered information. The Complaint further charges that Defendants violated the COPPA Rule by failing to post a privacy policy for their Kid Connect online service providing clear, understandable, and complete notice of their information practices; failing to provide direct notice of their information practices toparents; failing to obtain verifiable parental consent prior to collecting, using, and/or disclosing personal information from children; and failing to establish and maintain reasonable procedures to protect the confidentiality,security, and integrity of personal information collected from children.”

 

Furthermore, VTech has to implement a data security program that will face biannual independent audits that will span over a period of 20 years.

In Monday’s announcement of the VTech settlement, the acting FTC Chairwoman Maureen K. Ohlhausen said:

“As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data. Unfortunately, VTech fell short in both of these areas.”

Even though this was the first case against children’s privacy violations to be settled, since toys become more and more connected, I’m going to be it will not be the last one.

Can’t wait to see the a new app called “Smartphone Hide’n’Seek”.