Ken Munro, managing director of Pen Test Partners, has called for a boycott of toy manufacturer VTech.
Munro made the statement last week at the SC Congress. The veteran pen tester told the audience that VTech had publicly relinquished its responsibility to protect customer data in a recent update to its terms and conditions. It is also still selling toys shown to be vulnerable for over a year.
Similar calls have echoed around the internet off the back of VTech's recent behaviour. Much of them came shortly after Troy Hunt, an Australian security researcher, recently wrote that VTech had changed its terms and conditions for customers.
These updated terms and conditions include the statement that if you agree to use of VTech products, “you acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorised parties.”
VTech was the subject of a massive hack last year which resulted in the theft of the data of millions of adults and children, adding a sinister new element to the world of data breaches.
According to outside observers, VTech's security was laughable: The company used unsalted MD5 password hashes and no SSL encryption among a host of security faults considered to be dated to the point of negligence today.
Troy Hunt, among the first to get a look at the stolen data, commented to SC at the time of the massive hack that, “The VTech systems I saw were very old with most of the technology dating back half a decade or more.”
Instead of updating security, VTech seems to have washed its hands of that responsibility altogether. It was this that sparked the righteous ire of Ken Munro, parents and the cyber-security community.
To Munro, VTech are being profoundly irresponsible. He told SC: “They've had a breach, we know how to respond to breaches properly.” Munro points to the big retail breaches of the last few years in which the breached company was fully mobilised to try and overcome the situation: “You fix the problem. You reassure everyone you fixed the problem. You take steps forward to make sure it never happens again.”
VTech may have done that up to a point after last year's breach but are now “undermining everything they've done to try and shift responsibility to the consumers. [This] tells me they're not serious.”
Another issue for Munro, which he voiced at last week's SC Congress, was that the company continues to sell toys, even after the breach, that were shown to be vulnerable. The Innotab tablet, for example, runs on the Rockchip processor, a piece of hardware publicly known to be exploitable for nearly two years.
VTech spoke to SC, saying that there are certain things that are out of the company's hands. “Since learning about the hack of its databases, VTech has worked hard to enhance the security of its websites and services and to safeguard customer information. But no company that operates online can provide a 100 percent guarantee that it won't be hacked”, said a spokesperson from VTech.
These terms and conditions, “like the T&Cs for many online sites and services, simply recognise that fact by limiting the company's liability for the acts of third parties such as hackers. Such limitations are commonplace on the Web.”
Munro's not quite satisfied with that response. Perhaps the 100 percent security is not possible, but VTech has missed the point, Munro told SC: “There will always be the stupid user - you can't be expected to take account for everything else - but you can design a good system.”
Still, it's doubtful whether the company's stated position will work across multiple jurisdictions. The Information Commissioner's Office, which oversees the handling of private data throughout the UK, told the BBC that, "the law is clear that it is organisations handling people's personal data that are responsible for keeping that data secure".
Europe's incoming General Data Protection Regulation will also make short work of VTech's position too. When it comes into effect in 2018, any organisation operating within the EU is legally bound to protect its customers' data.