14 DAY TRIAL // Everyone who has kids loves getting them the latest cool toys available, but some of them are downright dangerous, especially those that are able to connect to the Internet, such as CloudPets. In fact, these adorable little plush toys just managed to leak 800,000 user account credentials and 2 million message recordings for anyone to listen to.
It seems that between Christmas and until the first week of January, the company behind CloudPets, Spiral Toys, left customer data on a database that wasn't protected by a firewall or a password. Search engine Shodan, often used to find unprotected websites and servers, was put to use to find the MongoDB where all the CloudPets data was stored.
So what was exposed? Well, more than 800,000 emails and passwords. Thankfully, they were secured with bcrypt, a hashing function that's stronger and harder to crack than others more frequently used. Troy Hunt, security researcher behind Have I Been Pwned, analyzed the CloudPets data and claims that a large number of those passwords were so weak they might have been cracked.
In the weeks the data was exposed, two security researchers, as well as malicious hackers, got their hands on the information. It seems that several cybercriminals got their hands on the database and held it for ransom, as the CloudPets' data was overwritten twice.
"It only takes one little mistake on behalf of the data custodian - such as misconfiguring the database security - and every single piece of data they hold on you and your family can be in the public domain in mere minutes," Troy Hunt writes in a blog post. He adds that, without any doubt, there are many connected toys with serious security vulnerabilities.
Hunt's Have I Been Pwned site can be checked by parents owning CloudPets to see if their information has been exposed. You'll simply have to input the email address you used for the account and run a check.
Weak protection
IoT devices, as a whole, have serious security problems and have been hacked countless times. These connected toys, however, bring the added risk of putting your child in danger, on top of your privacy.
Just recently, Germany banned Cayla dolls due to security problems and for fear that the Internet connection used by the doll to return answers to kids' questions could easily be hacked. The toys have since been removed from stores.
"Such incidents are very frustrating, as it’s just a tip of the IoT iceberg. Too many companies, unfamiliar with the basic principles of information security, have entered into the IoT manufacturing business, putting data and privacy of their customers at critical risk," Ilia Kolochenko, CEO of web security firm High-Tech Bridge, told Softpedia.
"Regulatory requirements and compliance with law are also commonly ignored and neglected by the IoT manufactures. For example, did the parents give an explicit authorization to store their voices? For which period of time? Can parents request the removal of their data and voices from the database? Will it be unrecoverably removed? Enforcement of GDPR regulation should motivate IoT vendors to give clear and reasonable answers to these and similar questions," Kolochenko added.