Video: CloudPets Stuffed Toys Leaked Private Data and Millions of Voice Recordings

“Smart” stuffed animals that listen to the voices of children and parents have leaked over 2 million recorded messages online – and hackers are now holding them for ransom.

Cybersecurity expert Troy Hunt reports that an unnamed source contacted him about a data breach affecting CloudPets stuffed toys. The Bluetooth-connected stuffed animals let parents upload and download messages to and from their children via an app.

The best way to understand how these toys work, Hunt says, is to watch the commercial for them:

Hunt goes on to explain that most parents may be technically literate enough to set up a WiFi password but not savvy enough to understand how these toys actually work:

They don’t necessarily realise that every one of those recordings – those intimate, heartfelt, extremely personal recordings – between a parent and their child is stored as an audio file on the web. They certainly wouldn’t realise that in CloudPets’ case, that data was stored in a MongoDB that was in a publicly facing network segment without any authentication required and had been indexed by Shodan (a popular search engine for finding connected things).

Within his analysis of the problem, Hunt points out several serious concerns:

CloudPets left their database exposed publicly to the web without so much as a password to protect it.

There are references to almost 2.2 million voice recordings of parents and their children exposed by databases that should never have contained production data.

The services sitting on top of the exposed database are able to point to the precise location of the profile pictures and voice recordings of children.

Due to there being absolutely no password strength requirements whatsoever, anyone with the data could crack a large number of passwords, log on to accounts and pull down the voice recordings.

The CloudPets data was accessed many times by unauthorized parties before being deleted and then on multiple occasions, held for ransom.

Unauthorized access must have been detected but impacted parents were never notified.

Why does this matter?

Hunt summarizes:

Circling back to the parents’ position for a moment, you must assume data like this will end up in other peoples’ hands. Whether it’s the Cayla doll, the Barbie, the VTech tablets or the CloudPets, assume breach. It only takes one little mistake on behalf of the data custodian – such as misconfiguring the database security – and every single piece of data they hold on you and your family can be in the public domain in mere minutes.

Another researcher told Hunt he was seeing databases named “PLEASE_READ” appear across many compromised systems containing a ransom as follows:

You DB is backed up on our servers, send 1 BTC to 1J5ADzFv1gx3fsUPUY1AWktuJ6DF9P6hiF then send your ip address to email:[email protected]

There were many malicious parties taking action against exposed databases during this period, Hunt says, and researchers “…frequently saw the same system accessed multiple times by different actors, each demanding their own ransom.” (For more on now these ransom schemes work, please see Extortionists Wipe Thousands of Databases, Victims Who Pay Up Get Stiffed.)

Technology news website Motherboard reports that the exposed data included more than 800,000 emails and passwords.

The CloudPets database is making the rounds in the internet underground, according to both Hunt and Victor Gevers, the chairman of the non-profit GDI Foundation which discloses security issues to affected victims. Gevers saw the database while it was exposed online at the end of last year, and said it contained data on 821,396 registered users, 371,970 friend records (profile and email) and 2,182,337 voice messages.

Two researchers warned Motherboard of this security breach independently, and with their help, the site was able to verify that the breach was legitimate.

Having your family’s private information exposed in such a way is bad enough, but there’s a more sinister potential problem with the toys.

Paul Stone, a security researcher with the UK-based security firm Context who has studied how CloudPets work, told Motherboard the toys can be turned into remote surveillance devices:

“Anyone within range—10 meters with a normal smartphone—can just connect to it. Once you’re connected you can send and receive commands and data.

Someone standing outside your house could easily connect to the toy, upload audio recordings, and receive audio from the microphone.”

The CloudPets toys don’t use any standard Bluetooth security features such as pairing encryption when communicating back to their owner’s smartphone’s app, Stone explains. So, anyone within range can connect to the toy, upload a message to it, “silently” trigger the toy’s recording functionality, and “download the audio that the toy has recorded.”

Stone recorded a video to show how he made the toy play whatever message he wanted.

Creepy.

If you have one of these toys and plan to keep it, changing your password to one that is very complex is probably a good idea.

Or, perhaps opt for a good old-fashioned teddy bear that won’t invade your family’s privacy and expose your child’s personal information to hackers.

Delivered by The Daily Sheeple

We encourage you to share and republish our reports, analyses, breaking news and videos (Click for details).

Contributed by Lily Dane of The Daily Sheeple.

Lily Dane is a staff writer for The Daily Sheeple. Her goal is to help people to “Wake the Flock Up!”