Everything can be hacked, as a certain Overwatch character is fond of saying. That seems to be increasingly true of consumer electronics... including stuffed teddy bears and unicorns. According to security researcher Troy Hunt, a series of web-connected, app-enabled toys called CloudPets have been hacked. The manufacturer's central database was reportedly compromised over several months after stunningly poor security, despite the attempts of many researchers and journalists to inform the manufacturer of the potential danger. Several ransom notes were left, demanding Bitcoin payments for the implied deletion of stolen data.
CloudPets allow parents to record a message for their children on their phones, which then arrives on the Bluetooth connected stuffed toy and is played back. Kids can squeeze the stuffed animal's paw to record a message of their own, which is sent back to the phone app. It's a fairly basic idea, and an appealing one for parents who travel frequently or grandparents living at a distance from their families. The Android app has been downloaded over 100,000 times, though user reviews are poor, citing a difficult interface, frequent bugs, and annoying advertising.
Hunt and the researchers he collaborated with found that the central database for CloudPets' voice messages and user info was stored on a public-facing MongoDB server, with only basic hashes protecting user addresses and passwords. The same database apparently connected to the stored voice messages that could be retrieved by the apps and toys. Easy access and poor password requirements may have resulted in unauthorized access to a large number of accounts. The database was finally removed from the publicly accessible server in January, but not before demands for ransom were left. Hunt theorizes that manufacturer Spiral Toys, facing poor sales and disastrous stock performance, had neither the interest nor the manpower to do anything about the early warnings given by concerned users.
You can read Hunt's exhaustive breakdown of CloudPets' security problems at the source link below. As this and other hacks of child-focused products have taught us, the new generation of web-connected devices requires a renewed commitment to data security.
- Troy Hunt