“Have I Been Pwned?” operator Troy Hunt revealed that internet-connected teddy bears dubbed CloudPets leaked personal information. This put voice recordings, email addresses, and other sensitive data pertaining to children and their parents at risk of compromise by who-knows-how-many people.
CloudPets are billed as “a message you can hug.” They read stories, play lullabies, feature interactive games, and let parents record messages for their children. The problem: The devices stored user data in an easily accessed database without any form of password protection. Hunt said in a blog post that the CloudPets database was indexed by Shodan, a search engine for Internet of Things (IoT) products, and has been accessed by “many people.”
Hunt said information from roughly 821,000 people was compromised in this way. Within the databases, he said, “are references to almost 2.2 million voice recordings of parents and their children exposed by databases that should never have contained production data.” That would be enough of a problem on its own, but upon further examination of the CloudPets mobile app, Hunt discovered still more easily exploited security problems.
CloudPets apparently stored user information in an Amazon S3 bucket that also doesn’t require any form of authentication to access. The only thing needed to view someone’s profile picture, the name of a child, and the name of the relatives with whom they can communicate via their futuristic teddy bears is the proper file path. Voice recordings from children and their family members can be found in the same way. Somehow it gets even worse.
Hunt discovered that CloudPets has no strength requirements for user passwords. Someone could just type “L” as their password–and CloudPets explicitly advises parents to use “qwe” as a password in a “getting started” YouTube video. Neither option is secure in any way, and Hunt explained that even though CloudPets stored passwords as a bcrypt hash, cracking those simple passwords would be trivial for any hacker worthy of the moniker.
But that’s not all! Hunt also discovered that the products’ creators were warned about these issues at least four times. The company never responded to any of those emails. Just to recap: a bunch of internet-connected teddy bears stored information in public-facing databases without password protection, served data via Amazon S3 buckets without other safeguards, actively encouraged people to use weak passwords, and ignored several warnings.
That’s all bad news. It gets worse still, though, because apparently this tale was destined to become a great epic like the Iliad. (With significantly more references to stuffed animals, databases, and security issues.) Eventually the databases were erased and held for ransom by unknown attackers…several times. Eventually the databases disappeared from Shodan and it seemed that CloudPets had responded to the problem.
Whew! Finally, it’s all done. Except, well, of course it wasn’t. Hunt wrote:
It’s impossible to believe that CloudPets (or mReady) did not know that firstly, the databases had been left publicly exposed and secondly, that malicious parties had accessed them. Obviously, they’ve changed the security profile of the system and you simply could not have overlooked the fact that a ransom had been left. So both the exposed database and intrusion by those demanding the ransom must have been identified yet this story never made the headlines.
So it seems the company knew about the issue but didn’t inform its customers of the problem. That violates California laws that require companies to disclose any data breaches. At every juncture, from setting up the databases to designing the mobile app to warning users that their and their children’s personal information was probably accessed by someone else, CloudPets did the worst possible thing it could do in regards to user privacy and security.
CloudPets aren’t the only internet-connected toys with privacy issues. EPIC, a digital privacy rights group, filed a complaint with the Federal Trade Commission in December 2016 alleging that Genesis Toys and Nuance recorded children’s voices without parental consent. Problems have also been found in Mattel’s “Hello Barbie” doll and other IoT playthings. Right now the message is clear: Don’t buy internet-connected toys for your kids.