More than a year after CloudPets connected teddy bears were found to have exposed 2.2 million voice recordings between parents and their children in a significant data breach, Amazon, Target and Walmart have pulled the toys from their online markets. But it’s the installed base of the connected cuddlies that should be of greater concern.
Connected toys and their attendant security concerns typically make the most news around the holidays, but a recent security audit shows that privacy problems are an evergreen issue. Working with cybersecurity research firm Cure53, Mozilla recently found unfixed and new vulnerabilities in the discontinued toys — which prompted the Electronic Frontier Foundation (EFF) on May 28, 2018 to write a letter [PDF] to major retailers in concern.
The toys allow kids to send and receive audio messages from parents and “authorized users” using an iOS or Android app. CloudPets parent Spiral Toys went out of business last year after being plagued with data breaches and significant security issues around password requirements and data governance since Christmas 2016; nonetheless, it does have an install base, and some toys are available on a resale basis or as leftover inventory.
Fresh Security Worries
Mozilla, in a non-published report cited by the EFF, uncovered that the CloudPets app still points users to MyCloudPets.com; this domain is for sale, potentially opening up a significant attack vector on unsuspecting families. Also, strangers can connect to CloudPets via Bluetooth without authentication, which is an attack that requires no vendor infrastructure to cart out; and, firmware can be installed without verification, which means an attacker with physical access to the toys can deploy malicious functions. Thus, anyone owning a CloudPets toy should be aware that danger still exists.
Amazon, Target and Walmart apparently heard the call and pulled whatever remaining toys were on the shelves – very few, it should be noted: AdWeek reported that in Amazon’s case, the pulled inventory amounted to a single unicorn. In total, we’re talking about 20 or so items.
Other reports noted that eBay also said it would pull the items from its resale marketplace — however, at time of writing, CloudPets listings were still available. Threatpost has asked for clarification from the e-tailer.
“In a world where data leaks are becoming more routine and products like CloudPets still sit on store shelves, I’m increasingly worried about my kids’ privacy and security,” Ashley Boyd, Mozilla’s vice president of advocacy, said in a media statement.
Last year, independent researcher Troy Hunt found several issues with the CloudPets back end, starting with the public exposure of a Mongo database containing more than 2 million voice recordings by kids and parents. As a result, it was stolen and held for ransom more than once last year.
The company also stored data from the app in an Amazon S3 bucket with no specific authorization required, merely knowledge of the file path which is stored in the app itself and returned by the app every time a profile is loaded. The information includes profile photos, the names of children, date and month of birth (not the year), and details on the kids’ relationships to those authorized to share messages with the child. “The services sitting on top of the exposed database are able to point to the precise location of the profile pictures and voice recordings of children,” Hunt said.
And finally, CloudPets accounts were found vulnerable to brute-forcing the passwords; it turns out that the company has no minimum requirement regarding password strength, so it can consist of even a single digit.
CloudPets owner Spiral Toys CEO Mark Myersat at the time said the breach was a “very minimal issue,” and failed to direct fixes for the issue.
Not so minimal, clearly: His company is now kaput. However, it’s unclear if this information is still publicly available.
Not an Uncommon Issue
Similar flaws have been identified in other connected toys, like Genesis Toys’ My Friend Cayla doll (banned in Germany) and Mattel’s Hello Barbie doll, and just ahead of Christmas last year UK consumer rights group Which? pinpointed the ability to hack the Bluetooth or Wi-Fi connections used by a range of toys, for a man-in-the-middle takeover that could allow hackers to spy and eavesdrop, or steal data. Some of the specific toys of concern to the group included Furby Connect; I-Que Intelligent Robot; and Toy-fi Teddy.
This aspect of the lack of IoT security is obviously more concerning perhaps than others given the exposure of children. Even so, according to holiday-season survey data of more than 1,000 US adults conducted by Keeper Security last November, nearly 53 percent of the IoT devices that respondents intended to purchase were toys. That’s well ahead of the 23.6 percent that said they would buy wearable devices and the 22.4 percent each that planned to purchase home security and smart home devices like thermostats or vacuums.