CloudPets are teddy bears and other stuffed animals that are connected to the internet, allowing parents and their children to record and send messages to each other while also offering games and bedtime stories to kids.
The smart toys, however, are also now known as a major security threat, as CloudPets owner Spiral Toys stored recordings and user credentials in an unprotected online database.
CloudPets Security Risk
The security risk presented by CloudPets was discovered by security researcher Troy Hunt, who found out that all the data held by the internet-connected toys were stored by Spiral Toys in a MongoDB that was not protected by a firewall or a password.
The worse part is that the database was indexed by Shodan, which is a popular search engine when looking for connected things. Because it was included in Shodan, people found the unprotected database where CloudPets data was stored.
The user data exposed by the unprotected CloudPets database included over 800,000 emails and passwords. A significant number of the passwords, while protected by the strong hashing function bcrypt, were easy to crack because of how weak they were. When Hunt tried cracking the passwords using some of the most commonly used ones in the world such as "123456" and "passwords" along with "cloudpets," he was able to crack a large number in just a short period of time.
In addition to the user credentials, the unprotected database also exposed nearly 2.2 million voice recordings of children and their parents, which can readily be accessed by hackers alongside the profile pictures used for each CloudPets account.
Accordin to Hunt, Spiral Toys was notified of the security issues of the CloudPets database at least four times, and it is impossible that the company did not know that hackers have accessed the information as there have been ransom demands left behind for the stolen data.However, instead of informing users and installing protections on the database, Spiral Toys seemingly restored the deleted data from a backup and continued as if there was nothing wrong.
How Parents Can Keep Safe From Internet Of Things Risks
There have been numerous cases wherein user information stored in internet-connected devices was breached, with some of the incidents related to children's toys. Some of these include VTech's Learning Lodge in November 2015 and the recently reported My Friend Cayla doll.
While the Internet of Things has certainly made some aspects of life easier, users should start to become more educated on cybersecurity so that such incidents can be minimized.
First of all, parents should be aware of any internet-connected devices that they introduce into their households. Such devices, or toys, in this case, should be properly set up with a customized username and password.
Second, the the password used should be a strong one, in the form of a combination of letters in upper case and lower case, numbers, and special characters. This is to ensure that even if the passwords get leaked, encryption will protect it from being figured out by hackers.
Lastly, passwords used should be different across all online services, so that if one is compromised, it will only affect a single account and prevent the hacker to access other accounts of the parent or child.