It has been a serious concern for a long time that stuffed toys could record messages and sounds. So, they could really be a risk for the privacy of the children and their parents too. It seems like now, through a security vulnerability, anyone was able to see personal information, see photos or hear recordings belonging to the owners of CloudPets toys. There was a point when some people were asking for ransom in exchange.
The stuffed toys issue
Security researcher Troy Hunt recently compiled a report and found that over 820,000 user accounts have been affected by this problem. That means roughly 2.2 million voice recordings. According to Hunt, people might be shocked to discover that when the parents connect the stuffed toy, the voice of their kid is kept on a server on Amazon. The issue with the CloudPets toys is that they are able to connect to various mobile devices and apps. The idea is good. The parents or anyone else can send messages and the toy will play them for the child. The problem is that the other way around works too.
The CloudPets toys are storing all the data they receive on a cloud, not on the respective mobile device. All the toys that can be connected to a device do this, actually. The issue was that, according to Hunt, the data was kept in a database that was very insecure and did not even require authentication to enter it. So, what happened was that someone entered the database, stole the data and asked for ransom in the form of bitcoins from CloudPets. However, it seems like the company was able to restore the data from a backup and did not pay anything.
Users did not know about the leak
The issue was that the users did not know about the leak at all. There is an even bigger problem. In California, the government asks the companies to inform their users if their data has been stolen. Seeing how CloudPets is based in California… they might have broken the law. Hunt found out about this situation when some users were worried that their e-mails were not returned. He was not able to contact the company to see what was going on, so he started an investigation on his own.
There is actually a rather shocking example of what this technology can be used for, on Twitter. A worried user posted a short clip in which someone is sending messages through the stuffed toy to his child and the user apparently cannot be blocked.
— Handsome Neil (@MisterZoomer) January 29, 2017
A good precaution measure would be to change the password of the toys frequently. Also, parent should be aware of the fact that hackers can nowadays have access almost anywhere. So, before buying such a toy, they should think twice if they really need it. While the recordings do not necessarily pose a security threat, it is not pleasant at all to have something like this near your child.
Image source: here