It was not an auspicious beginning to the holiday season. On Black Friday, we learned that a hacker had broken into the servers of Chinese toymaker VTech and lifted the personal information of nearly five million parents and more than 200,000 children. The data haul included home addresses, names, birth dates, email addresses, and passwords. Worse still, it had photographs and chat logs of parents with their children.
The exploit raised the obvious question: as more toys become connected to the Internet, how many have lax security? And how many millions, or hundreds of millions, of children are in danger due to it? We got a partial answer on Dec. 4, when Bluebox Security discovered serious vulnerabilities in Mattel’s Hello Barbie, the Internet-connected version of the iconic doll toy. It is entirely possible that the majority of Internet-connected toys have serious vulnerabilities. There are many reasons for this.
First, these are the early days of hack-attacks on toys, so hackers have a head start. And then there are no real regulations for the Internet of Things — devices that are connected to each other and to the Internet. It isn’t just toys; the Internet of Things includes appliances, cars, and a host of previously unconnected digital and semi-analog devices.
The Internet of Things is not secure, largely because companies don’t feel obliged to invest the time, money and effort necessary to secure their devices. There also aren’t any global security standards or accepted guidelines. To make matters worse, companies are not required to tell consumers what information they are gathering and how they will protect it. The recall by Fiat Chrysler Automobiles, in July 2015, of 1.4 million Chrysler, Dodge, Jeep and Ram vehicles demonstrated the extent of the problem. The company had long known about security vulnerabilities in its touchscreen and Uconnect systems, yet it didn’t correct them until Wired magazine and The Post published exposés showing how the vehicle could be hijacked while the driver was at the wheel. Lives could have been lost due to that.
Protecting children from hack attacks is exceptionally important. They are vulnerable and innocent. And that makes them emotionally charged targets for cyber-extortion attacks. Imagine if a truly evil hacker had accessed the VTech systems and intercepted communications or captured images from the cameras. Parents could have easily have faced extortion through threats to harm their kids. And many would have paid. Last year, Fox 19 reported that a man hacked into a baby monitor in a home in Cincinnati, Ohio, and started screaming “Wake up baby!” at a 10-month-old girl. The parents, understandably, felt violated.
VTech quickly admitted that its security had not been up to snuff. But let’s be clear about this. VTech had little real incentive to worry about security. Of course the company did not want to harm its customers; but there is no real bite in the laws seeking to penalize companies for failing to protect their customers’ data. Even in California, where companies are legally required to quickly disclose hacks and warn customers that their data have been stolen, breaches continue. Globally, cyber attacks increased by 48 percent from 2013 to 2014, according to a large survey by consultancy PwC. Those attacks cost businesses, on average, $2.7 million per incident.
It is possible that recall costs are not sufficient motivators. Rarely are victims compensated for the loss of control of their identity, an unfortunate gift that keeps on giving for many years to come. VTech earns $2 billion in revenue and says that Internet-connected children’s products are amongst the fastest area of its growth. A better way to deal with this might be to dramatically raise the penalties for lax security. This could be accomplished by insurance companies but should also include some mandatory payback clause to compromised customers. Or perhaps it could be a contribution system whereby all manufacturers of connected devices pay into a compensation pool. This is, of course, another flavor of insurance. Businesses would hate this idea, but it might force them to do the right thing.
Increases in government regulations are rarely productive and can often harm innovation. But it may be prudent to expand the equipment authorization program of the FCC. This requires the testing of radio frequency devices used in the United States to ensure that they operate effectively without causing harmful interference and that they meet certain technical requirements. These requirements could include the encryption of data and other security safeguards. This is particularly important given that our Internet of Things devices are mostly manufactured in China. The security holes could allow snooping on an unprecedented level — in homes as well as offices.
And here’s a really radical thought.
What if we mandated that businesses create systems that allow customers to control their own data — to see what is being collected and to alert them when those data are stolen? This has long been a pipedream of privacy activists. But we are actually tantalizingly close to having the capability of creating such as system.
My colleagues at Stanford Law School, and many others, have been researching how this would work. Roland Vogl, who heads Codex, the Stanford Center for Legal Informatics, envisages a system that allows people to manage and analyze all of their structured data, including those generated by Internet of Things devices. End users would connect their devices to a “personal dashboard,” through which they will be able to monitor and control their data. They would select which data can be shared and with which companies. Vogl says there are already some implementations of these technologies, such as OpenSensors and the Wolfram Connected Devices Project.
The solutions aren’t difficult. We just need the motivation, regulation and coordination. The alternative, in today’s Wild Wild West of Internet of Things development, is a runaway increase in security nightmares. It is better to set the standards now and ensure a safer cyber world for our children and ourselves.