'Smart' Stuffed Animal Company Leaves Voice, Other Data Of Millions Publicly Exposed

from the internet-of-not-so-smart-things dept

So we've noted time and time again how so-called "smart" toys aren't immune to the security and privacy problems plaguing the internet of broken things. Whether we're talking about the Vtech hack (which exposed kids' selfies, chat logs, and voice recordings) or the lawsuits against Genesis Toys (whose products suffer from vulnerabilities to man-in-the-middle attacks), the story remains the same: these companies were so excited to connect everything and anything to the internet, but few could be bothered to spend more than a fleeting moment thinking about product security and consumer privacy.

Troy Hunt, creator of the very useful Have I Been Pwned? website, this week highlighted one of the biggest privacy breaches yet when it comes to the connected toy market. Spiral Toys makes the CloudPets line of stuffed animals, which adorably record and play back voice messages that can be sent over the Internet by parents and children alike. Less adorable is the fact that this collected data is stored by a Romanian company called mReady, which apparently left this data in a public available database neither protected by a password nor placed behind a firewall.

As such, that data was publicly accessible to anybody perusing the data via the Shodan search engine. And while it's hard to nail down a precise number, Hunt estimates that somewhere around 2 million voice recordings of children and parents were just left exposed to the open air, as well as the e-mail addresses and passwords for more than 800,000 Spiral Toys CloudPets accounts.

On a positive note, the company did appear to keep CloudPets stored passwords as a bcrypt hash, one of the more secure methods available. But that appears to have been compromised by the fact that the company (as outlined in this instructional video for customers) has absolutely no restrictions when it comes to minimal password strength:

"However, counteracting that is the fact that CloudPets has absolutely no password strength rules. When I say "no rules", I mean you can literally have a password of "a". That's right, just a single character. The password used here in the demonstration is literally just "qwe"; 3 characters and a keyboard sequence. What this meant is that when I passed the bcrypt hashes into hashcat and checked them against some of the world's most common passwords ("qwerty", "password", "123456", etc.) along with the passwords "qwe" and "cloudpets", I cracked a large number in a very short time."

As we've seen with so many IoT companies, many simply don't respond when contacted and warned about vulnerabilities. And when they are warned, lawsuit threats are often more common than cogent responses. In this case, Hunt notes that Spiral Toys was contacted three times about the data being publicly exposed and its weak password rules, and it chose to ignore each one of them:

"3 attempts to warn the organisation of a serious security vulnerability and not a single response. I've said many times before in many blog posts, public talks and workshops that one of the greatest difficulties I have in dealing with data breaches is getting a response from the organisation involved. Time and time again, there are extensive delays or no response at all from the very people that should be the most interested in incidents like this. If you run any sort of online service whatsoever, think about what's involved in ensuring someone can report this sort of thing to you because this whole story could have had a very different outcome otherwise."

In other words, here's yet another company that not only thinks security and privacy are an afterthought, but can't actually be bothered to respond when informed that the data of millions of users was just sitting unsecured in public view. These companies don't appear to realize it, but their incompetence acts as a living, breathing advertisement for why dumb toys and devices remain the smarter option.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: children, cloudpets, iot, security, smart toys, stuffed animals
Companies: spiral toys


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Arthur Moore (profile), 28 Feb 2017 @ 11:00am

    Question

    Quick question. Many countries have additional privacy requirements for minors. What's the likelihood that this company is now in breach?

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 28 Feb 2017 @ 11:15am

    Re: Question

    Somewhere between 100% and 100%.

    link to this | view in thread ]

  3. icon
    TheResidentSkeptic (profile), 28 Feb 2017 @ 11:44am

    Apply the correct formula to figure it out

    Corporate guilt is inversely proportional to campaign contributions.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 28 Feb 2017 @ 12:11pm

    Well... time to start my own data storage company.

    It is so sad when I can say this: I could do a better job than these guys and I am still very much a student and have never worked with security or databases other than a 2 server test environment.
    I mean, IT is a huuuuge subject that can make you feel very small when studying it and you start to realize just how much you don't know. Companies like this makes me look like a senior professional expert in the area... Where did they learn their stuff?... from the tv-show Scorpion? (That was the biggest insult I could come up with)

    link to this | view in thread ]

  5. icon
    TechDescartes (profile), 28 Feb 2017 @ 12:35pm

    Re: Apply the correct formula to figure it out

    Corporate guilt is inversely proportional to campaign contributions.

    The more they donate, the less guilty they are?

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 28 Feb 2017 @ 12:47pm

    It's a shame nobody shortselled them this time.

    link to this | view in thread ]

  7. identicon
    Cowardly Lion, 1 Mar 2017 @ 3:21am

    Complete pants...

    https://cloudpets.com/

    I don't know if they're having some "technical difficulties" but hardly anything on their site works (except external links such as the "Buy Now" redirect to Amazon), be it in Chrome, IE or Mozilla.

    I was looking for their "About" button, however they don't seem to have one, with their relatinoship to the Roumanian data centre in mind. I was thinking of dobbing them into our Information Commissioner; I have him on speed-dial.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 1 Mar 2017 @ 12:11pm

    SNL Consumer Probe Skit: Mainway Toys

    You can't make this stuff up, can you?

    http://snltranscripts.jt.org/76/76jconsumerprobe.phtml

    Consumer Reporter: Mr. Mainway [CEO, Mainway Toys], your company manufactures the following so-called harmless playthings: Pretty Peggy Ear-Piercing Set, General Tron's Secret Police Confession Kit.

    Well, I guess we could say that all of your toys are really unsafe and should rightfully be banned from the market. I guess I would just like to know what happened to the good ol' teddy bear.

    Irwin Mainway, CEO of Mainway Toys [Dan Aykroyd]: Hold on a minute, sister. I mean, we make a teddy bear. It's right here. [ picks up giant teddy bear ] It's got a nice little feature here, you see? I'll hold it up here. We call it a Teddy Chainsaw Bear. [ revs chainsaw in teddy bear's stomach ] I mean, a kid plays with saws, he can cut logs with it, you know what I mean.

    link to this | view in thread ]

  9. icon
    Aaron Walkhouse (profile), 2 Mar 2017 @ 1:47pm

    You REALLY want to get their attention?

    Don't waste time on their [ignorable] contact form or email.
    Tell all their RETAILERS about the weak security. ‌ ;]

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.