IoT Teddy Bear Leaks 2 Million Recordings of Parents’ and Kids’ Messages

The manufacturer of Internet-connected “smart” teddy bears has leaked the credentials of over 800,000 user accounts and millions of personal messages between parents and their children, which hackers then exploited for a ransom.

Spiral Toys, the maker of Internet of Things (IoT) stuffed animals of the ‘CloudPets’ line that allows kids and their parents to exchange personal messages has leaked over 800,000 customer credentials and over two million message recordings of theirs, to the open internet. Fundamentally, the messages are exposed to everyone online.

The compromised exposed details include over 2 million voice recordings of children and parents alongside user credentials including email addresses and passwords of over 800,000 accounts.

The account data was left open to exploit in a publicly available database, according to security researcher Troy Hunt, who runs the data breach resource blog Have I Been Pwned? Hunt discovered that the database wasn’t protected by a password nor a firewall.

Hunt revealed, through searches via the Shodan search engine and other research, that Spiral Toys left customer data of its CloudPets brand on the exposed database between December 25 and January 8. Shodan is a search engine that makes it easy to locate unprotected websites and servers. Moreover, the customer data was accessed several times by different parties. One of them included criminals who held the data for ransom. The recordings themselves were accessible on an Amazon-hosted service that with no authorization required for access.

The MongoDB database that totaled 821,296 account records were stored by mReady, a Romanian company. In his blog, Hunt writes that he had attempted to notify the toymaker of the glaring vulnerability on at least four different occasions. Although he did not see any response, Troy is certain that the evidence left behind by the ransom extortionists means that the company or some of its officials knew of the exploit.

Hunt stated:

It’s impossible to believe that CloudPets (or mReady) did not know that firstly, the databases had been left publicly exposed and secondly, that malicious parties had accessed them. Obviously, they’ve changed the security profile of the system, and you simply could not have overlooked the fact that a ransom had been left. So both the exposed database and intrusion by those demanding the ransom must have been identified yet this story never made the headlines.

The exposed data were encrypted with the bcrypt hashing function, a security measure that is harder to crack than weaker and more- generic encryption. However, a majority of the passwords were so weak to begin with that it would be entirely possible for them to be cracked, according to Hunt. This was made possible by CloudPets’ lax password policy, wherein it allowed the likes of “a” or the easy keyboard sequence “qwe” as permissible passwords.

Hunt is convinced that there are “many other connected toys” currently in the homes of families that contain “serious security vulnerabilities in the services that sit behind them.”

He warned:

It only takes one little mistake on behalf of the data custodian – such as misconfiguring the database security – and every single piece of data they hold on you and your family can be in the public domain in mere minutes. 

Image credit: CloudPets.