More than two million voice messages, many of them from children, along with the personal information of more than 800,000 registered users was swiped from an exposed MongoDB instance storing data collected from a internet-connected toy called CloudPets.
These IP-enabled teddy bears allow children to send and receive messages through the toy to and from others over the Internet. Parent company Spiral Toys had been notified by two security researchers working independently of each other, and only after a public disclosure published last night by Troy Hunt did it finally surface and deflected blame.
CEO Mark Myers told Network World it was a minimal issue and that an attacker would only be able to access recordings if they were able to guess the user’s password. Spiral Toys, however, had minimal password requirements if a video, below, shared by Hunt is any indication, meaning that it would be relatively simple for a determined attacker to crack the passwords. Myers also said that his company outsources server management, and that the third party is to blame for the shoddy security. A request for comment from Threatpost was not returned in time for publication.
MongoDB instances have been targeted heavily since January with attackers accessing unprotected databases, copying data and then deleting the information before leaving behind a ransom note demanding payment in Bitcoin.
“People that hunt for these kinds of data normally silently go in, get the data and leave without tripping alarm bells,” said Victor Gevers of the GDI Foundation who has been instrumental in exposing this new extortion trend. “That has been going on for years. Since January this year, there are new destructive open system attacks that simply wipe everything and then leave a ransom note.”
Gevers also found the CloudPets data exposed online and notified the toy maker on Dec. 30 and 31 via three emails, a message to the Spiral Toys Twitter account and in a LinkedIn invite to Myers, none of which were acknowledged, he said. He also filed a ticket in Spiral Toys’ support area with ZenDesk, which he said sends an automated reply that the support request has been received.
Hunt’s timeline is similar, though he also tried to contact the toymaker via its WHOIS record contact and its hosting provider Linode on Dec. 30, 31 and Jan. 4. Hunt said that on Jan 7 the original databases were deleted and a ransom demand called “PLEASE_READ” was left behind similar to other attacks against MongoDB installations. A day later, another ransom demand was left called “README_MISSING DATABASES,” and another called “PWNED_SECURE_YOUR_STUFF_SILLY.” As has been the trend in other MongoDB attacks, hackers will access the same database over and over again swapping out ransom notes and demands. The researchers speculate that it’s likely the data was accessed and possibly copied out numerous times before it was deleted.
“This database was open to the world because of MongoDB’s unsafe default settings which are accessible to all with full admin rights (if you don’t lock it down),” Gevers said. “In January, there were these MongoDB ransack/ransom attacks and also this database server became a victim on the 12th of January and the staging database was deleted.
“But it has been open for a long time (according to Shodan history files) so enough people must have copied the entire database which is pretty common with open systems,” Gevers said. “I have seen a lot of log files during the ransom attacks so I know from experience how quickly open systems are found, how quickly data gets exfiltrated.”
The disturbing part aside from the technical stumbles is that numerous parties accessed and copied personal messages between parents and children. Anyone can use a mobile app to send messages to the CloudPets teddy bear, which then can be listened to by the child, who can then reply through the bear. The child’s response is sent back to the mobile app.
Hunt said in his report that the databases were on a publicly facing network segment without authentication required and had been indexed by the Shodan search engine. Hunt was informed of the breach by a friend, he explains in his disclosure. He verified the data was legitimate and quickly surmised that the data had been accessed by many parties.
Gevers, meanwhile, said that 821,396 registered users, 371,970 friend records, and 2,182,337 voice messages were in the database that was wiped.
Hunt explained in his report that through an investigation of how the mobile app communicates with the Spiral Toys server, he discovered that domain is the same IP address as the exposed databases, meaning that production and staging servers were on the same physical box. He also learned that the company stores uploaded data such as voice messages and profile pictures on an Amazon S3 bucket that was accessible just by knowing the file path. That profile also contains other personal data such as children’s names, relationships to other users authorized to share messages with a child.
“Once again, an Amazon S3 bucket with no specific authorization required, merely knowledge of the file path which is obviously stored in the app itself (returned via the API),” Hunt wrote. “Based on how CloudPets position their toys, you can imagine the sorts of voice messages the system contains.
“The services sitting on top of the exposed database are able to point to the precise location of the profile pictures and voice recordings of children,” he wrote.
Gevers, meanwhile, shared one of his emails to Spiral Toys with Threatpost. In it he explains the problem and provides evidence of how many records were exposed. He also provides them with advice for locking down their MongoDB instance and to inform customers of the situation.
“I hope that SpiralToys does what is in the best interests of their customers and that is to inform them about this breach and give a good and solid advice what to do (remind them about weak passwords or password reuse),” Gevers said. “Transparency and being helpful should be your highest priority when you deal with sensitive data leaks as these.”
