Archer

“You must assume data like this will end up in other peoples’ hands,” researcher says.

 

A fluffy kitty, a soft bear, a plush pup.

These are the CloudPets, stuffed animals that let you record a message for your kids on your smart phone and send it from far away.

“It’s a message you can hug!” the commercial says, showing parents and kids recording missives of love for each other, like “Hey, Daddy, I love you.”

But it may also be a message that malicious hackers have stolen for their own purposes, along with other personal information about your child and family, said cybersecurity researcher Troy Hunt.

“CloudPets left their database exposed publicly to the web without so much as a password to protect it,” Hunt wrote in a post about his research. “By now it’s pretty obvious that multiple parties identified the exposed database, it remained open for a long period of time and it exposed some very personal data.” 

He added that “scanning for this sort of thing is enormously prevalent and that data—including the kids’ and parents’ intimate audio clips—is now in the hands of an untold number of people.”

 

A CloudPets unicorn. Image from Spiral Pets.

 

Some families are angry about the news.

“I am REALLY sick of all these connected toys,” said a father on the CloudPets Facebook page. “Here’s another big data breach, and if your little one has Cloud Pets, there’s a pretty high likelihood that your data is now in the hands of nefarious individuals.”

 

Some parents complained about the company’s handling of the breach on the CloudPets Facebook page.

 

The company responds

Archer News contacted the maker of CloudPets, called Spiral Toys, in Los Angeles.

“When we were informed of the potential security breach we carried out an internal investigation and immediately invalidated all current customer passwords to ensure that no information could be accessed,” the company said in a statement sent to Archer News this afternoon. “To our best knowledge, we cannot detect any breach on our message and image data, as all data leaked was password encrypted.”

The researcher said that is not enough.

“However, counteracting that is the fact that CloudPets has absolutely no password strength rules,” Hunt wrote. “When I say ‘no rules,’ I mean you can literally have a password of ‘a.’ That’s right, just a single character.”

 

CloudPets allows users to have a password just one letter long, a researcher said. Image from Spiral Toys.

 

The company tutorial showing families how to choose a password uses the very simple three-letter password, ‘qwe,’ a short form of ‘qwerty,’ one of the most commonly used and most easily cracked passwords. 

“I cracked a large number in a very short time,” Hunt said. “Due to there being absolutely no password strength requirements whatsoever, anyone with the data could crack a large number of passwords, log on to accounts and pull down the voice recordings.”

Spiral Toys said it is now asking people to change their passwords to something longer and stronger.

“For the protection of our users we are now requiring users to choose new increased security passwords,” the company said. “An email will be sent out informing customers of the potential compromised login data and will give them a link to create a new password.”

 

The CloudPets ad encourages parents and children to send voice messages to each other while they are apart. Image from CloudPets ad.

 

Safe or not safe?

Spiral Toys’ statement said the company found out about the problem on February 22, and took “immediate and swift action to protect the privacy of our customers.”

But Hunt tells a different story.

He said he and other researchers tried to warn Spiral Toys multiple times starting on December 31, but got no answer.

Then, at the beginning of January, things went awry.

CloudPets databases were exposed in the MongoDB database disaster, where malicious hackers could not only access the data, but could hold it for ransom and delete it, Hunt said.

In fact, hackers did demand ransom for CloudPets data and then destroyed it, according to their research.

“The CloudPets data was accessed many times by unauthorised parties before being deleted and then on multiple occasions, held for ransom,” Hunt wrote.

Still, they said, no response from the company—until long after.

 

CloudPets promoted its connected toys for military families on Facebook.

 

“Running safely”

The company claims all is well for kids and parents who own CloudPets.

“The CloudPet services have been running safely since March 2015 and we are taking all steps necessary to continue to run safely on our production servers,” the statement said. “We are committed to protecting our customer information and their privacy in order to ensure against any such incidents in the future.”

But security researchers warn families that connected toys can also connect your children with criminals.

You must assume that the information you and your child give to a toy—whether by video, voice or typed into an app—will end up in the hands of other people, Hunt said.

“There’s no doubt whatsoever in my mind that there are many other connected toys out there with serious security vulnerabilities in the services that sit behind them,” he said. “Inevitably, some would already have been compromised and the data taken without the knowledge of the manufacturer or parents.”

 

CloudPets app in the Apple Store.

 

Spy toys

Germany just banned the My Friend Cayla interactive talking doll over security concerns.

The Bundesnetzagentur or Federal Network Agency said the toy could be used as a surveillance device and had inadequate security, allowing strangers to listen in.

“Anything the child says or other people’s conversations can be recorded and transmitted without the parents’ knowledge,” the agency said in its statement. “A company could also use the toy to advertise directly to the child or the parents.”

Consumer groups in the U.S. filed complaints about My Friend Cayla and another interactive toy, the i-Que Intelligent Robot, in December, saying the toys are not secure, violate privacy laws and secretly market to your kids without your consent.

 

My Friend Cayla doll and the i-Que Intelligent Robot. Photo: Forbrukerrådet 

 

The VTech toy company experienced a massive breach affecting more than six million children in 2015.

Around the same time, researchers said they found security flaws in the talking doll Hello Barbie, leading some to call her the “Hell No Barbie.”

More problems

Another researcher found security problems with the CloudPets, too, and published his concerns today.

“Anyone can connect to the toy, as long as it is switched on and not currently connected to anything else,” Paul Stone said. “Bluetooth LE [low energy] typically has a range of about 10 – 30 meters, so someone standing outside your house could easily connect to the toy, upload audio recordings, and receive audio from the microphone.”

Stone also said he had trouble reaching Spiral Toys about the security flaws.

He advised parents to take their own security steps.

“If you own one of these toys (or any other IoT [Internet of Things]/connected toy), I would recommend keeping it turned off whilst it’s not in use,” he said.

 

The CloudPets site shows how parents & kids can use the toy to communicate. Image from CloudPets.com.

 

What can I do?

Spiral Toys said it will report the data breach to state officials.

“Once we have addressed our customers’ needs and we document the incident, we will file the cyber-crime report with the State Attorney General in California,” its statement said. “We will continue to post any updates on our website.”

You can check to see if your information was in the exposed CloudPets databases at “Have I Been Pwned,” Hunt’s website that allows people to search their e-mail address for signs of compromise.

Parents should be careful about what they buy for their kids and how they use it.

“Whether it’s the Cayla doll, the Barbie, the VTech tablets or the CloudPets, assume breach,” Hunt said. 

“It only takes one little mistake on behalf of the data custodian—such as misconfiguring the database security—and every single piece of data they hold on you and your family can be in the public domain in mere minutes,” he added.

 

Featured image: CloudPets Facebook page