To the 821,296 people who bought one, the CloudPets teddy toys must have seemed like a great way to exchange intimate voice messages with their kids across what used to be called “the internet”.
A CloudPet is simple to use. The parent or child speaks into a microphone inside the toy, which uses a Bluetooth interface to upload the recording to cloud storage via an Android or iOS smartphone app tied to an account. Recipients download and listen to the message on a second CloudPets toy.
But in a new nadir for the gimmick of sticking the Internet of Things (IoT) inside toys, something went badly wrong with security.
Researcher Troy Hunt was recently told that databases containing all of the user accounts and potentially up to 2.2m voice messages had been compromised by hackers who found them in an unprotected state around Christmas using nothing more complicated than the Shodan IoT search engine.
Worse, numerous people accessed the exposed databases, some of whom had demanded a ransom from the parent company after deleting them in a manner identical to a spate of recent attacks on MongoDB installations.
The databases lacked authentication although account profiles were at least protected with passwords hashed using Bcrypt, a secure algorithm.
But, as Hunt discovered after pitting them against Hashcat, the lack of password rules rendered this ineffective with”qwerty”, “password”, “123456”, “qwe and “cloudpets” matching large numbers of the hashes. This makes all recordings vulnerable.
We’ve been here before. In late 2015, toy maker VTech suffered a massive data breach, again involving data gathered from a children’s device and made public by Hunt. Hot on its heels came hackable Barbie, while only days ago Germany’s telecommunications watchdog branded the Cayla doll as a surveillance device on account of poor security.
Troy Hunt describes this kinder-dystopia in the making:
It only takes one little mistake on behalf of the data custodian – such as misconfiguring the database security – and every single piece of data they hold on you and your family can be in the public domain in mere minutes.
In a double helping of bad, the researcher who first told Hunt of the breach had attempted to warn CloudPets about the issue of three occasions but without response. A second researcher also tried to contact CloudPets as early as December 30, also without success.
It’s perhaps not a surprise that CloudPets was hard to contact given that its systems appear to have been stitched together for convenience from parts run by different entities.
Naked Security’s advice for CloudPets users who want to continue using the toys is to immediately change their password to something secure.
If there’s a moral it’s that parents should stop buying connected toys from any company until some standards develop and attitudes to security change.
At the very least, companies should be able to point to a responsible disclosure system so researchers have a way of communicating any vulnerabilities they find. Right now, few seem to have such systems and are therefore not deserving of trust, a sentiment some would extend to almost all IoT.
As we like to say on Naked Security for many things, “If in doubt, don’t give it out.”