Stuffed animals are soft and cuddly. But they are also security risks, as demonstrated by a data breach that was discovered this week.
Cybersecurity researcher Troy Hunt recently discovered an open database of over 2 million voice messages, along with email addresses and password data, collected by the toy line CloudPets.
CloudPets allow parents and their children to exchange voice messages via a stuffed animal or phone app. But in an egregious bucking of best practices, the company stored this information in a public-facing database that could be easily accessed by anyone searching Shodan.
More from Troy Hunt:
[Parents] don’t necessarily realise that every one of those recordings – those intimate, heartfelt, extremely personal recordings – between a parent and their child is stored as an audio file on the web. They certainly wouldn’t realise that in CloudPets’ case, that data was stored in a MongoDB that was in a publicly facing network segment without any authentication required and had been indexed by Shodan (a popular search engine for finding connected things).
[…]
Unfortunately, things only went downhill from there. People found the exposed database online. Many people and the worrying thing is, it’s highly unlikely anyone knows quite how many. The first I knew of it was when earlier last week, someone sent me data from the table holding the user accounts, about 583k records in total (this subsequently turned out to be a subset of the total number in the CloudPets service). I started going through my usual verification process to ensure it was legitimate and by pure coincidence, I was in the US running a private security workshop at the time and one of the guys in my class had a CloudPets account. Sure enough, his email address was in the breach and it was time-stamped Christmas day, the day his daughter had been given the toy.
According to Hunt, the company — called Spiral — has thus far been silent, even as Hunt and other journalists have reached out to the firm.
From EnGadget:
As for Spiral’s response? There is none, and might never be. Microsoft’s Troy Hunt and others have tried reaching out to Spiral multiple times to no avail, and the company doesn’t appear to have notified customers despite obvious signs that something was amiss. From all indications, the company is on life support or dead: its social media accounts have been silent for months, and its stock price is near worthless.
The kicker is that a lot of this would be entirely avoidable. Rapid7 security research director Tod Beardsley tells Engadget that all of the flaws have could been addressed, but that Spiral seems “uniquely uninterested” in taking them on. While Rapid7 tends to get responses from companies “about 70% of the time” and almost always sees them implement a fix or workaround when they get in touch, it’s “increasingly rare” for a company to go completely silent.
The breach also underscores the importance of secure cloud apps. From ComputerWorld:
Bryce Boland, chief technology officer for Asia-Pacific at FireEye, said there is little excuse for CloudPets’ lack of basic protections for the breached database, but this is unfortunately not an isolated incident.
“This isn’t the first case of a toy manufacturer failing to protect their customers’ information and it likely won’t be the last. The fact is, a baby’s crib is required to meet more rigorous safety standards and testing than connected devices such as baby monitors or connected toys.
“Companies need to bake security into the design of their products. Security can’t be an afterthought. Connected devices such as these need to be designed assuming hackers will try to compromise them. They should be designed so that even if they are compromised and information is stolen, it is useless to the attacker,” he said.
Further reading: