IOT (Internet of Toys)?

CloudPets records your children, then pretty much puts it out on the internet for everyone.

Furthering our conversation on IoT (Internet of Things) devices that record and store you voice, comes this little gem.

CloudPets exposes thousands of their customer’s (and their children’s) voice conversations in an open database.  CloudPets couldn’t even bother to secure the database with a password, leaving the database to simply fall prey to anyone that wanted over 800 thousand user accounts worth of stored voice recordings. That’s over 2 million voice recordings!

CloudPets are cute, little, furry stuffed animals that act as a voice messaging system between you and your child. You, as the adult, download an app to your phone or tablet. The app allows you to record and send a message through the CloudPets cloud messaging service. The message is then received by another phone (preferably another adult) that is near the CloudPets stuffed animal. The app on the other end then transmits the message to the stuffed animal via Bluetooth connection.  The child then reverses the process by recording their own message back to you via a squeeze of the animals paw/arm.  You get the picture.

These are private and very personal conversations… and more than likely the participants do not understand that they are being recorded. And I doubt any parent is in full agreement with that kind of TOS.  Or at least, I wouldn’t be.

So, what happened?

I invite you to read security researcher Troy Hunt’s full account of what happened.

In short; The CloudPets databases (there were 2 databases exposed) was found by doing a simple Shodan search. The database was NOT behind a firewall and was open to the web.  The list of failures could go on forever, but let’s focus on what was exposed: User names, hashed passwords (at least they were hashed), enough information through the other services to deliver addresses to profile pictures, and file locations of recorded messages (like just type in the address), names of children, children’s dates of birth minus the year, relationships to parents, authorized friends…  I mean, c’mon, basically everything you’ve ever put into the system.

As Troy’s article continues, and just when you think things couldn’t get worse…  That’s when you realize that during the course of the investigation, CloudPets gets ransomed and their databases ripped from their servers. As you would expect from a ransom attack. Similar styled ransoms featured a ransom note, so I’m going to steal the quote right off his page…

You DB is backed up on our servers, send 1 BTC to 1J5ADzFv1gx3fsUPUY1AWktuJ6DF9P6hiF then send your ip address to email:kraken0@india.com

So, lets take a look at the leak in simple terms:
1. Database openly exposed to web.
2. Email addresses and hashed passwords exposed.
3. No requirements on password strength. (Troy was able to crack a significant number of them with a simple brute force attack)
4. Images and recordings able to be retrieved off Amazon S3 cloud with nothing more than an URL, to which you can find references to IN THE DATABASE! With NO authentication.
5. Database clearly hacked and ransomed.
6. Company’s lack of response to repeated warnings. Even lying about receiving warnings.
7. Company’s refusal to alert customers.
8. Company’s utter failure to address the issue at ALL! Insisting there was no breach.

In the end, our point is the same; Toys for children and for adults, that have microphones, and cameras need to be looked at with a skeptical eye. If you aren’t 110% sure that you’re device isn’t recording your voice and shipping it off to some server in God-knows-where, you should probably consider removing it from your home. And if a device connects to a network, in any way…  It’s probably recording and storing everything that it hears. Food for thought.

Update: Spiral Toys (CloudPets’ parent company), has finally admitted there was a breach and filed with the authorities in California.  Even though they don’t seem to have a full understanding of what they did wrong, at least it’s a start.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


9 − two =