Connected toys are becoming increasingly popular, and one such toy is CloudPets’ stuffed animals. With these and a related app, parents and kids can record messages for each other that are shuttled between the toy and app via the company’s cloud service. That cloud service, it turns out, is quite insecure and has allowed voice messages recorded by parents and kids to be leaked online for anyone with the skills to grab them.
The security vulnerability was recently detailed in a lengthy post by Troy Hunt over on his website. The issue, it seems, is CloudPets’ lax security, which allowed ‘a MongoDB that was in a publicly facing network segment without any authentication’ requirements to be indexed by a search engine called Shodan. This database contains extensive information about the company’s users.
The poor handling of databases resulted in the voice recordings of both kids and parents being exposed, with the total number of vulnerable recordings being around 2.2 million. These include messages parents sent in private to their kids, and messages kids recorded for their parents and friends.
User profile pictures have also been left exposed, and user data such as email addresses are readily available in the database data. Equally as worrisome is the poor password security, namely the company doesn’t require users to create strong passwords. For this reason, Hunt was able to decrypt many weak account passwords, such as ones using ‘password’ and ‘cloudpets’ for their security.
Once someone has access to the accounts’ passwords, they can acquire the voice recordings directly from the accounts themselves simply by logging in. Many entities have accessed the exposed databases; it isn’t clear how many. Furthermore, there is evidence that malicious individuals or collectives accessed the databases and held them for ransom.
Hunt goes on to explain:
It’s impossible to believe that CloudPets (or mReady) did not know that firstly, the databases had been left publicly exposed and secondly, that malicious parties had accessed them. Obviously, they’ve changed the security profile of the system and you simply could not have overlooked the fact that a ransom had been left. So both the exposed database and intrusion by those demanding the ransom must have been identified yet this story never made the headlines … Unauthorised access must have been detected but impacted parents were never notified.
All attempts to contact CloudPets and inform them of the discovery failed; there is evidence the company may no longer be in operation given that its financial condition is dire and its social media accounts appear to be defunct.