BEACON TRANSCRIPT – Earlier this week, a breach-notification website published news about the CloudPets line. The report claimed that the products may have leaked the data of over 2 million voice recordings. They may have also revealed password and email data from over 800,000 accounts.
In a highly-connected world, IoT teddy bears are no longer a surprise. But a line of Internet-connected stuffed toys may have been doing more than just transmitting messages.
According to Troy Hunt, the CloudPets have been leaking its users’ data. Hunt is the maintainer of a breach-notification website called Have I Been Pwned? On February 27th, he published a blog post which claimed as follows. Based on research, he stated that the stuffed toys line leaked private user data.
Hunt stated that he detected the user data by performing a Shodan computer search. This, together with other evidence, also indicated as follows. The account data was detected in a publicly available database. One which was also left unprotected via either firewall or a password.
The Shodan search also revealed that the publicly exposed data has already been accessed. And this may have happened more than just once. It was reportedly accessed by multiple parties, including some which requested ransomware.
The leaked audio recordings were reportedly available on an Amazon-hosted service. This required no special authorization in order to be accessed. Another detail offered by Hunter targeted the time period.
This exposed data was publicly accessed multiple times from in between December 25th to January 8th. As stated before, the source of the leak was reported as being Spiral Toys. This is the company that develops, advertises, and sells the CloudPets stuffed toys line.
CloudPets are the IoT version of stuffed bears. They can record messages and then send them via the Internet. Hunt stated that the Spiral Toys has contracted mReady. This is the Romanian company which stored the MongoDB database.
The latter is the repository of the registered CloudPets messages. Reportedly, MongoDB stored data from over 820,000 accounts. Besides this, Spiral Toys also kept other user data on an Amazon-hosted service.
Just as MongoDB, this required no authorization in order to store the respective user data. One which included anything from customer profile pictures, the name of the children, and various public relations.
According to Hunt, it is quite simple to access user information from this database. All you would have to do is know the file location. And as stated by the same Hunt, this was not hard to determine.
The report pointed out some other facts about the CloudPets line. Although they were described as having a lax security system, the service ensured a very high password protection. It makes use of an ultra-secure bcrypt hashing function. But at the same time, their password policy is very permissive.
Hunt expressed his certainty that the CloudPets team or mReady knew about the data leak. Reports also state that at least 4 attempts have been made of informing the company about the breach. But they received no response from the company itself.
However, when contacted about the report, Spiral Toys denied the claims. The company maintains that no user images or messages have been leaked.
Image Source: FreeGreatPicture