08:12 GMT +323 June 2017
Live
    Teddy bear

    'Bear-ly' Innocent: Kids' Voice Recordings Leaked in Creepy IoT Teddy Hack

    © Photo: PIxabay
    Tech
    Get short URL
    0 41685

    A series of web-connected, app-enabled toys called CloudPets have been hacked, exposing 800,000 user account details and voice messages left by children.

    Since December 25, 2016 until the first week of January 2017, Spiral Toys left customer data of its CloudPets brand on a database that wasn't firewall protected, and a result, hackers were able to obtain the information, locked it and held it for ransom. 

    ​CloudPets allow parents to record a message for their children on their phones, which then arrives on the Bluetooth connected stuffed toy and is played back. 

    Kids can squeeze the stuffed animal's paw to record a message of their own, which is sent back to the phone app. According to sources, the Android app has been downloaded over 100,000 times.

    The data was found on the MongoDB, a free and open-source cross-platform document-oriented database program, because the information was unprotected. 

    As a result of the breach, more than 800,000 emails and passwords were exposed.

    The time during which the data was exposed, there were at least two security researchers that enabled malicious hackers to get hold of it. In fact, at the beginning of January, several cybercriminals were actively scanning the internet for exposed MongoDB's databases to delete their data and hold it for ransom, and CloudPets' data was overwritten twice, according to researchers.

    So how exactly did this happen? The central database for CloudPets' voice messages and user info was stored on a public-facing MongoDB server, which was easy to hack into as the security protecting the passwords and usernames was very basic, according to sources. 

    The same database apparently connected to the stored voice messages that could be retrieved by the apps and toys.

    Easy access and poor password requirements may have resulted in unauthorized access to a large number of accounts. The database was finally removed from the server in January, but not before demands for ransom were left. 

    The toys, which are internet-connected and known as the Internet of Things or IoT devices, were open to security breaches as the data itself is easily hackable. 

    According to tech experts, if you are a parent who doesn't want your loving messages with your kids leaked online, you might want to buy a good old-fashioned teddy bear that doesn't connect to a remote, insecure server.

    ​This was a major security breach; however, according to some, it only goes to show how the IoT is a real and present danger. 

    The police authorities in the US warned consumers that internet-connected devices, from medical devices to security systems, can be potential targets for malicious cybercriminals. 

    Security experts believe the tech industry needs to figure out how to secure the IoT now, while the architecture is still being developed. That means building in features such as encryption, authentication and the ability to remotely update devices now. 

    Troy Hunt, a computer security breach expert who runs HaveIBeenPwned, and who was first tipped off about the lack of security when it comes to CloudPets toys, said that it only takes one mistake. 

    "It only takes one little mistake on behalf of the data custodian […] and every single piece of data they hold on you and your family can be in the public domain in mere minutes," Hunt said.

    "If you're fine with your kids' recordings ending up in unexpected places then so be it, but that's the assumption you have to work on because there's a very real chance it'll happen," he added.

    The danger of the IoT, according to some tech experts, is no child's play, and cybersecurity experts are calling on governments to try and make it more secure.

    Related:

    Internet of Things Hype Hides Deep Cybersecurity Vulnerabilities
    When Gadgets Attack: Internet of Things Compromises Security
    Rogue Routers Relating to Internet of Things Discovered
    NSA Official Says Agency Looks to Exploit Internet of Things for Spying
    Tags:
    breach of privacy, Internet of Things (IoT), toys, messages, database, danger, cybersecurity, hackers, mobile phones, Internet, Android, Europe
    Community standardsDiscussion
    Comment via FacebookComment via Sputnik
    • Сomment