11 Feb 2016

Parents urged to boycott VTech toys after hack

10:24 am on 11 February 2016

Cybersecurity experts have said parents should boycott or at least be cautious of VTech's electronic toys because of how it has handled a hack attack.

They gave the advice after it emerged that VTech's new terms and conditions state that parents must assume responsibility for future breaches.

no caption

Photo: Facebook / VTech

More than 6.3 million children's accounts were affected by last year's breach, which gave the perpetrator access to photos and chat logs.

VTech says it stands by the new terms.

"Since learning about the hack of its databases, VTech has worked hard to enhance the security of its websites and services and to safeguard customer information," said a spokeswoman.

"But no company that operates online can provide a 100 percent guarantee that it won't be hacked.

"The Learning Lodge terms and conditions, like the T&Cs for many online sites and services, simply recognise that fact by limiting the company's liability for the acts of third parties such as hackers.

"Such limitations are commonplace on the web."

The problem with 'full responsibility'

The new terms were flagged by a blog by the Australian security specialist Troy Hunt.

In it, he detailed additional flaws with VTech's products and alleged that it was misleading for the firm to have described the attack as being "sophisticated".

He also disclosed that the company had issued new terms and conditions on 24 December for the software that lets parents add apps to its devices and copy off photos and other saved files.

They tell parents:

"You acknowledge and agree that you assume full responsibility for your use of the site and any software or firmware downloaded.

"You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorised parties.

"You acknowledge and agree that your use of the site and any software or firmware downloaded there from is at your own risk."

Another security researcher, Scott Helme, later confirmed the terms appeared when Europe-based owners of the VTech's InnoTab Max tablets updated its firmware.

Mr Hunt was dismayed.

"People don't even read these things!" he wrote.

"If [VTech] honestly feel they're not up to the task of protecting personal information, then perhaps put that on the box and allow consumers to consciously take their chances rather than implicitly opting into the 'zero accountability' clause."

'Unforgiveable and ignorant'

His condemnation of the firm has since been echoed by four other security experts.

"This is an unbelievably arrogant and derogatory response considering their track record with data security," said Ken Munro from Pen Test Partners.

"If VTech think that those T&Cs are the answer to their problems I think they should be given a bigger problem to deal with. Boycott them and take your money somewhere else."

Prof Angela Sasse - director of the UK Research Institute in Science of Cyber Security - added that she would be "cautious" about all of the firm's products.

"The nature of the security flaws identified, and their displayed lack of urgency in fixing them, casts doubt on their security competence," she told the BBC.

"Instead, they change the T&Cs to 'dump' any risk on their customers - I would not trust a vendor who behaves in this way."

University College London's Dr Steven Murdoch also guided potential shoppers elsewhere.

"The existence of vulnerabilities that result from beginners' mistakes in the VTech website is disappointing, as is their handling of the situation, so it raises serious questions about whether there are vulnerabilities in their other products," he said.

"It would be understandable that potential customers will look elsewhere."

Meanwhile, Trend Micro's Rik Ferguson said the firm's behaviour was "unforgivable, ignorant and indefensible".

"Would I advise consumers to avoid an organisation that attempts to take advantage of its customers' goodwill and to absolve itself of its legal responsibilities with weasel words? Unequivocally, yes."

A lawyer added that VTech's approach was "odd".

"It's unusual to see these terms in consumer contracts and it's questionable if they would be enforceable," said Callum Murray, head of commercial technology at Kemp Little.

Under scrutiny

VTech's reach is about to grow following a deal to take over its US rival Leapfrog, which makes child-centric tablets computers, smartwatches and apps of its own.

But one company-watcher commented that the impact went even further.

"A lot of eyes are on VTech because nothing on this kind of scale has happened in the toy industry before," said Billy Langsworthy, editor of the Toy News trade magazine.

"Toy firms need to be aware that these kinds of cyber-attacks are going to become more common, so right from how they set up their security to how they deal with the PR of a breach is something that this sector is going to have to look at."

- BBC