14 DAY TRIAL // The CloudPets nightmare seems to have no ending and, even worse, take new shapes. After it was revealed that it leaked hundreds of thousands of user recordings and credentials, it now seems that its Bluetooth Web API is not really safe against remote exploitation.
So what does this mean for those cute little plushies? Well, these toys allow a webpage to connect to the toy via Bluetooth without any authentication, giving it the power to control the gadget and record from the CloudPet's microphone. This feature can be used to play sounds through it.
Here comes the nightmare part: the insecure implementation of this API can permit attackers to snoop on families from outside their house. Everything they need to do is open a phone, a webpage, pair it to the nearby toy and listen in.
Researchers from Context Information Security revealed that they were looking into CloudPets' use of the web Bluetooth when news broke about the data leak. Now that they've wrapped up their investigation, it can only condemn the toy makers even more.
"When first setting up the toy using the official CloudPets app, you have to press the paw button to 'confirm' the setup. I initially thought this might be some sort of security mechanism, but it turns out this isn't required at all by the toy itself," reads the report.
They go on to note that anyone can connect to the toy, as long as it is switched on and not currently connected to anything else. Since Bluetooth typically has a range of about 10-30 meters, even someone standing outside your house could connect to the toy, upload audio recordings and receive audio from the microphone.
Not even the APK is safe
"The CloudPets app performs a firmware update when you first set up the toy, and the firmware files are included in the APK. The firmware it signed or encrypted - it's only validated using CRC16 checksum. Therefore it would be perfectly possible to remotely modify the toy's firmware," the report goes on, digging an even deeper hole for the company behind these toys.
Spiral Toys is at fault for the data leak as well. Between Christmas and the beginning of January, a full database containing about 2 million message recordings and 800,000 user account credentials was left unprotected by a firewall of password, which made it possible for the information to easily leak out into the world.
