Popular toys have never been risk-free. Now, in addition to watching out for choking hazards, toxic chemicals, and toys so loud they can damage a child’s hearing, parents need to know that some children’s playthings may reveal our personal information to hackers or corporate spies.
I’ve never been a fan of Barbie dolls, but Mattel hit a new low this year with the interactive “Hello Barbie.” The non-profit Campaign for a Commercial-Free Childhood has been sounding the alarm about this creepy toy for months and provided eight good reasons not to buy it. The doll made the group’s list of six contenders for Worst Toy of the Year, for the following reasons.
Prepare your daughter for a lifetime of surveillance with Hello Barbie, the doll that records children’s private conversations and transmits them to cloud servers, where they are analyzed by algorithms and listened to by strangers. Girls will learn important lessons, like that a friend might really be a corporate spy, and that anything you say can and will be used for market research. Plus, unlike old-fashioned toys that tax children’s imaginations by forcing them to give their dolls a personality and make up conversations, Hello Barbie will do the heavy imaginative lifting-and all for the low, low price of your daughter’s privacy (and $74.99 plus tax). Don’t harbingers of the coming dystopia make the best toys?
Although there’s some stiff competition in the “worst toy” category, I give Hello Barbie a good chance to win the Campaign for a Commercial-Free Childhood’s 2015 TOADY (Toys Oppressive And Destructive to Young Children) Award, especially after Tammy Leitner broke the news for NBC 5 news in Chicago that the “New Wi-Fi-Enabled Barbie Can Be Hacked.” Click through to watch her investigative report, or read the highlights in Samuel Gibbs’ write-up for The Guardian:
US security researcher Matt Jakubowski discovered that when connected to Wi-Fi the doll was vulnerable to hacking, allowing him easy access to the doll’s system information, account information, stored audio files and direct access to the microphone.
Jakubowski told NBC: “You can take that information and find out a person’s house or business. It’s just a matter of time until we are able to replace their servers with ours and have her say anything we want.”
Once Jakubowski took control of where the data was sent the snooping possibilities were apparent. The doll only listens in on a conversation when a button is pressed and the recorded audio is encrypted before being sent over the internet, but once a hacker has control of the doll the privacy features could be overridden.
It was the ease with which the doll was compromise that was most concerning. The information stored by the doll could allow hackers to take over a home Wi-Fi network and from there gain access to other internet connected devices, steal personal information and cause other problems for the owners, potentially without their knowledge.
An even greater threat to privacy affects millions of people whose kids own ostensibly educational toys sold by VTech. The whole “edutainment” industry is arguably a scam, as research has shown no benefits for babies or young children who watch television videos or play with screen devices marketed as brain-building. Yesterday, Lorenzo Franceschi-Bicchierai reported for Motherboard that a hacker broke into VTech’s servers, uncovering “names, email addresses, passwords, and home addresses of 4,833,678 parents” who have bought the company’s products, as well as “the first names, genders and birthdays of more than 200,000 kids.” I had never heard of VTech, which
sells a plethora of kids’ toys and gadgets, including tablets, phones, and a baby monitor. The company also maintains an online store, called Learning Lodge, where parents can download apps, ebooks, and games for VTech products.
The hacker “claims to have shared the data only with Motherboard, though it could have easily been sold online.” Franceschi-Bicchierai asked Troy Hunt to analyze the information. His findings may terrify those who own VTech products.
Hunt analyzed the data and found 4,833,678 unique email addresses with their corresponding passwords. The passwords were not stored in plaintext, but “hashed” or protected with an algorithm known as MD5, which is considered trivial to break. (If you want to check whether you’re among the victims, you can do it on Hunt’s website Have I Been Pwned.)
Moreover, secret questions used for password or account recovery were also stored in plaintext, meaning attackers could potentially use this information to try and reset the passwords to other accounts belonging to users in the breach—for example, Gmail or even an online banking account.
“That’s very negligent,” Hunt said. “They’ve obviously done a really bad job at storing passwords.”
Hunt’s own blog post about the VTech hack is a must-read.
When it’s hundreds of thousands of children including their names, genders and birthdates, that’s off the charts. When it includes their parents as well – along with their home address – and you can link the two and emphatically say “Here is 9 year old Mary, I know where she lives and I have other personally identifiable information about her parents (including their password and security question)”, I start to run out of superlatives to even describe how bad that is.
I didn’t understand all of Hunt’s technical details, but he made a convincing case that VTech’s modifications to security settings are “insufficient” and that consumers should not be fooled by the company’s assurances that credit card data remain secure.
Frankly, I couldn’t care less about credit cards and as I’ve explained before, these statements are designed to appease the likes of PCI [Payment Card Industry] and are of little consequence to consumers when genuinely sensitive things – irreplaceable things – are lost by a company that suffers a data breach.
Plenty of low-tech toys stimulate creative play without risking your family’s privacy. As “Geekdad” Jonathan Liu observed in his classic 2011 piece on The 5 Best Toys of All Time, some of the simplest toys (a stick or a cardboard box) can have the best play value. I mostly agree with Liu’s list but would replace “dirt” with “ball.”
P.S.- This week the Public Interest Research Group released its 30th annual Trouble in Toyland report on dangerous toys. Click through to download the whole document. From the summary findings:
• Toys with high levels of toxic substances are still on store shelves. We had chemical testing done at a lab which is accredited by the Consumer Product Safety Commission (CPSC).
• We found the Fun Bubbles jump rope from Dollar Tree which had 10 times the legal limit of the banned phthalate DEHP (tested at 10,000 ppm), and also had 190,000 ppm of the toxic phthalate DIBP which has not yet been banned. However, the CPSC has proposed a rule which has not been finalized that would add DIBP to the list of banned phthalates.
• In preliminary tests, we also found high levels of the heavy metal chromium in three toys. The high content of chromium in the products we found doesn’t necessarily mean that they violate the law. We believe it is a cause for concern, and we call on the CPSC to do further testing.
• Positively, while the CPSC has recalled some toys for lead violations this year, our tests did not find any. We believe this is a sign of progress, but this does not mean that lead cannot be found in other toys.• Despite a ban on small parts in toys for children under the age of three, we found toys available in stores that still pose choking hazards. We found a fairy wand from Dollar Tree that has small parts that easily break off, but was not labeled as a choking hazard.
• We found inadequate warning labels in the Disney Pixar Cars Riplash Racers and Disney Planes from Marshalls, G2 Air Mini Football and a Disney Finding Nemo Dory figurine from Five Below, and a Nickelodeon Mermaid Dora the Explorer from Target. These products may have labels suitable for foreign countries, but they were not sufficient to meet U.S. standards.
• Small balls pose a hazard for young children who are inclined to put objects in or near their mouths. We found Magic Towels packaged as a small baseball and a small football at Dollar Tree which did not have the appropriate small ball warning label.
• Balloons pose the most serious choking hazard to children in the U.S. All of the balloon packages we found did include the required warning label reading that children under eight can choke on balloons and balloon parts. However, we found three balloon sets from Party City which included a second, confusing label indicating that the products are for children ages three and older: the Balloon Animal Kit, Mega Value Pack 16 Latex Punch Balloons, and Mega Value Pack 12 Water Bomb Packs.
• We also found toys that are potentially harmful to children’s hearing. We found the Vtech Go! Go! Smart Wheels, Vtech Go! Go! Smart Animals, Vtech Spin & Learn Color Flashlight, Fisher Price Click n Learn Remote, and Leap Frog Fridge Phonics Magnetic Letter Set from Target that, while they don’t violate federal standards, were found to be extremely loud at the ear and at a distance.
• We continue to find small, powerful magnets that pose a dangerous threat to children if swallowed. We found Sizzlers noise magnets from Family Dollar, and Singing magnets from Dollar Tree that are “near-small-parts” which, while they don’t violate federal standards, are small enough to be swallowed and can cause severe internal damage.