Security concerns remain in a post CloudPets world
After CloudPets connected teddy bears were found to have exposed millions of voice recordings between parents and their children, Amazon, Target and Walmart have pulled the toys from their online markets. But the installed base of the connected cuddlies that should be of greater concern. Connected toys and their security concerns typically make the most news around the holidays, but a recent security audit shows that privacy problems are still an issue. Working with cybersecurity researchers, Mozilla recently found unfixed and new vulnerabilities in the discontinued toys, which prompted the Electronic Frontier Foundation to issue a statement to major retailers.
The toys allow kids to send and receive audio messages from parents and authorized users using an iOS or Android app. CloudPets parent, Spiral Toys, went out of business last year after being plagued with data breaches and significant security issues around password requirements and data governance since Christmas 2016. It still has an install base, and some toys are available on a resale basis or as leftover inventory.
Mozilla uncovered that the CloudPets app still points users to MyCloudPets.com. This domain is for sale, potentially opening up an attack vector on unsuspecting families. Strangers can also connect to CloudPets via Bluetooth without authentication, which is an attack that requires no vendor infrastructure. Firmware can also be installed without verification, which means a hacker with physical access to the toys can deploy malicious functions. Anyone owning a CloudPets toy should be aware that danger still exists. Amazon, Target and Walmart heard the call and pulled whatever remaining toys were on the shelves. Other reports noted that eBay would also pull the items from its resale marketplace, however, CloudPets listings are still available.
In a world where data leaks are becoming more routine and products like CloudPets still sit on store shelves, security experts are increasingly worried about privacy and security. Last year, independent researchers found several issues with the CloudPets back end, starting with the public exposure of a Mongo database containing more than 2 million voice recordings by kids and parents. As a result, it was stolen and held for ransom more than once last year. The company also stored data from the app in an Amazon S3 bucket with no specific authorization required. Knowledge of the file path, which is stored in the app itself, is returned by the app every time a profile is loaded. The information includes profile photos, the childen's names, birthday ( without the year ) and details on the kids' relationships to those authorized to share messages with the child. The services sitting on top of the exposed database are able to point to the precise location of the profile pictures and voice recordings of children. CloudPets accounts were also found vulnerable to brute-forcing the passwords. The company has no minimum requirement regarding password strength, so it could have been a single character.
Similar flaws have been found in other connected toys, like Genesis Toys' My Friend Cayla doll and Mattel's Hello Barbie doll, and just ahead of Christmas last year, a UK consumer rights group pinpointed the ability to hack the Bluetooth or Wi-Fi connections used by a range of toys. Some of the specific toys of concern to the group included Furby Connect, I-Que Intelligent Robot and Toy-fi Teddy. The lack of IoT security is more concerning because of the exposure of children. According to holiday season survey data of more than 1,000 US adults conducted by Keeper Security last November, nearly 53 percent of the IoT devices that respondents intended to purchase were toys. That's well ahead of the 23.6 percent that said they would buy wearable devices and the 22.4 percent each that planned to purchase home security and smart home devices like thermostats or vacuums.