Hundreds of children’s pictures exposed in Family Orbit’s server hack
7 September 2018
As much as 281GB of sensitive information, including pictures of hundreds of children, were exposed recently after a hacker gained access to an unsecured cloud server belonging to Family Orbit, a popular seller of spyware products to parents.
Family Orbit advertises itself as “the Best Parental Control App to Protect Your Kids” and offers premium apps to parents to let them monitor their children’s phone activities, locate their children on a real-time map, instantly lock or unlock devices used by their children, and block dangerous apps and websites from such devices.
Family Orbit’s cloud server not secure from hackers
Even though Family Orbit’s services give parents real control over the digital activities of their children and helps them keep an eye on their vulnerable children at all times, it need not be said that if the control of such apps, or data stored in them, fall in the hands of a malicious hacker, the threat to their privacy increases by multiple times.
This is exactly what happened recently when a well-meaning hacker gained access to a cloud server owned by Family Orbit that contained up to 281GB of sensitive data, including pictures of hundreds of children as well as video footages. Data stored in the server was not secure as the latter was protected by a password which the hacker found with relative ease.
“I had all photos uploaded from the phones of kids being monitored, and also some screenshots of the developer’s desktops which exposed passwords and other secrets,” the hacker told Motherboard.
After reviewing screenshots shared by the hacker, Motherboard confirmed that the hacker had indeed gained access to the insecure Rackspace cloud server that contained 3,836 containers with 281GB of pictures and videos. Email addresses of several users of Family orbit’s app were also verified by Motherboard as belonging to genuine users.
After being contacted by Motherboard, Family Orbit said that it did observe “unusual bandwidth” used in their cloud storage and immediately changed the API key and login credentials to prevent the breach of confidential data.
“This is yet another example of the difficulty we face in mitigating the threats to our children’s online safety and digital security, as traditional tools used to protect customers focus on adults, not on the most vulnerable among us,” said Robert Capps, vice president at NuData Security.
Explaining why cyber criminals are particularly interested in stealing personal data of vulnerable children, he added that this is because such data is often pristine, rarely monitored for misuse, giving the attackers ample opportunity to misuse children’s identities before they are discovered.
“Pictures and videos combined with other data on the consumer from other breaches or even social media, build a complete profile. Using these real identities, and sometimes fake identities with valid credentials, cybercriminals will take over accounts, apply for loans, and much more. Young victims may not find out about the misuse of their own identity until they are 18 and declined for a line of credit, for a credit card or a student loan.
“The current pandemic of data breach and fraudulent use of customer information has to be combated by first changing how we think about online identity verification. All customer data must be protected, but more importantly, it needs to become valueless in the hands of cybercriminals. This technology, that evaluates user’s behaviour, exists right now: it prevents fraudsters with stolen valid credentials from accessing accounts because they can’t replicate the customer behaviour,” he added.
Connected toys for children aren’t as secure as they should be
This isn’t the first time that firms storing huge stacks of vulnerable children’s data have lost control over such data due to poor cyber security protocols. In 2015, names, email addresses, passwords and home addresses of the 4.8 million parents across the world who bought products from Chinese toy manufacturer VTech were exposed by a hacker after the latter used SQL injection to gain access to VTech’s servers.
Aside from the above-mentioned details, the breach also exposed chat logs, audio recordings, and photographs of over 6.3 million children. Earlier this year, Vtech paid $650,000 to the U.S. Federal Trade Commission to settle a lawsuit and agreed to strengthen the security around its connected toys.
Earlier this year, research by independent security researcher Sarah James Lewis also revealed the presence of a number of connected toys that featured critical vulnerabilities impacting the security and safety of children.
In November last year, reacting to an increasing number of reports on insecure IoT devices, the Information Commissioner’s Office warned citizens that Internet-connected toys and other IoT devices sold during the Christmas shopping season could put the privacy and safety of children at risk.
‘You wouldn’t knowingly give a child a dangerous toy, so why risk buying them something that could be easily hacked into by strangers?,’ wrote Deputy Information Commissioner Steve Wood in a blog post.
‘In the same way that safety standards are a primary consideration for shoppers buying toys, we want those buying connected items in the coming weeks to take a pause and think about both the child’s online safety, and also the potential threat to their own personal data such as bank details, if a toy, device or a supporting app is hacked into,’ he added.