Naked Security Naked Security

Hackable CloudPets pulled from Target, Walmart, Amazon and more

The stuffed toys are stuffed with security problems that we've known about for over a year.

Most parents likely don’t want their kids’ talking stuffed toys to issue Dalek threats in those non-indoor voices of theirs.

But that’s exactly what happened, thanks to toy maker CloudPets‘ unsecured MongoDB server. The toys allow children to send and receive audio messages via the cloud and an iOS or Android app.
Last year, more than half a million people who bought the Bluetooth-enabled, Internet of Things (IoT), fluffy little suckers had their data and kids’ voice messages exposed.
The email addresses and password information for more than 800,000 accounts were also leaked. In fact, CloudPets users’ data was accessed multiple times by unauthorized parties on multiple occasions and held for ransom.
Now, finally, 16 months later, the toys are being yanked from the online shelves at Walmart, Amazon, eBay and Target.
As Consumer Affairs reports, researchers recently discovered that the security issues in CloudPets still haven’t been fixed, prompting the Electronic Frontier Foundation (EFF) to pen a letter to Walmart, Target, and Amazon, voicing concern that they were still selling the not-so-smart toys.
CloudPets’ leaky databases contained all user accounts and potentially up to 2.2m voice messages: sensitive material that had been compromised by hackers who found them lying wide open, no authentication required (though account profiles were at least protected with passwords hashed using Bcrypt) around Christmas time 2016. All it took was the Shodan IoT search engine to discover the enormous cache.
Worse, numerous people accessed the exposed databases, some of whom had demanded a ransom from the parent company after deleting them in a manner identical to a spate of then-recent attacks on MongoDB installations.
CloudPets were just one of a number of ultra-hackable spying toys – including “My Friend Cayla” – that Senator Mark Warner (D-Va.) wrote to the Federal Trade Commission (FTC) about in March 2017, calling on the feds to launch an investigation.
But it was a statement from Mozilla Vice President of Advocacy Ashley Boyd that really stuck a stick into the retailers’ toy-selling spokes. Last week, Walmart and Target stopped selling the internet-connected toys. Amazon followed suit on Tuesday after it was contacted by Mozilla, which offered research highlighting the vulnerabilities of CloudPets. eBay has also stopped selling the toys.
Working with cybersecurity research firm Cure53, Mozilla had found that the Bluetooth vulnerabilities found in CloudPets toys back in 2017 are still present. Consumer Affairs quoted the researchers:

The company clearly does not care about their users’ security and privacy being violated and makes no effort to respond to well-meaning attack reports, further facilitating and inviting malicious actions against their users.

From Boyd’s statement, which is connected to a potential petition on the issues that now won’t see the light of day, considering that the retailers are pulling the toys:

In a world where data leaks are becoming more routine and products like CloudPets still sit on store shelves, I’m increasingly worried about my kids’ privacy and security.

According to Mic, the petition would have included a letter sent to retailers detailing issues about data breaches, spying capabilities and potential phishing risks in CloudPets products.
Mic talked to Boyd by phone. She called CloudPets an “egregious example” of how lax smart toy makers can be when it comes to security, and how unresponsive to multiple researchers’ attempts to flag such toys’ security flaws:

The concern we have around CloudPets is that the vulnerability has been clear for a while and there’s been no action. Some smart toys are better at security than others, but we felt like CloudPets was an egregious example. Our goal was to reach out to retailers to make sure they knew exactly what kind of product they were selling.

In fact, as Hunt noted when reporting the flaws in February 2017, the manufacturer of these toys didn’t respond to email at all. Hunt:

Clearly, CloudPets weren’t just ignoring my contact, they simply weren’t even reading their emails.

You can see why security researchers cite lack of response as one of their biggest problems when it comes to responsible disclosure. CloudPets, for one, has certainly been an elusive little stuffed unicorn.
Perhaps exterminating! Annihilating! And destroying! the revenue from toy sales will get CloudPets to come out of hiding.

Image courtesy of

Leave a Reply

Your email address will not be published. Required fields are marked *