A week ago, the German government banned the Internet-connected My Friend Cayla doll over concerns that hackers could use them to spy on children. It turns out that connected toys don’t even need to be hacked to cause a privacy nightmare. All it takes is an improperly-configured database.
CloudPets are marketed as “a message you can hug!” Loved ones can record a voice message on the CloudPets mobile app and send it to a child’s high-tech stuffed animal. Kids can reply by pressing a paw and recording their own message.
It’s all very innocent and cute, until you fast forward to December of last year when the CloudPets database started leaking private information like a sieve.
Last week, someone reached out to application security expert Troy Hunt, saying that he had a copy of the entire CloudPets database. Hunt received a snippet containing around half a million records, and he went to work verifying their authenticity immediately. As luck would have it, he was leading a security course in Texas at the time… and one of his students happened to be a registered CloudPets parent.
In no time at all Hunt was able to locate his student’s email address in the data. After advising a password reset, Hunt asked for his original CloudPets password. It matched. The data was real.
Here’s where things get creepy. Among the data that was leaked were numerous audio recordings uploaded by CloudPets users both young and old and profile pictures of children. The database included direct links to the recordings. Anyone who saw the data could download a child’s CloudPet audio files, and there was no way of telling how many people had done that at this point, according to Hunt.
There’s another layer to the creepiness. CloudPets didn’t have any password complexity requirements. Spiral Toys CEO Mark Meyers has an explanation for that. “We have to find a balance,” he said, referring to the need to weigh security against ease-of-use. Fair enough, but there’s a big difference between finding a balance and failing to address even the most basic security concerns.
Here’s the result of that “balance.” In a demo video for the toys, Hunt pointed out to me that the password Spiral Toys showed being entered was “qwe,” which is about as passwords get (watch for it around the 1:00 minute mark). Many actual passwords in the database weren’t much better: abc123, 123456, cloudpets.
The passwords were also easy to crack, Hunt said. Since all you need is an email address and password to sign into the CloudPets app, it’s possible, then, that someone who accessed the data could have sent messages to a child’s CloudPet. Thankfully, there don’t appear to be any reports of that happening. Not yet, anyway.
In mid-January, the database leak was finally plugged. The CloudPets recordings, on the other hand, are still available to anyone who has the links… and, again, Hunt says there’s no real way to know how many people got their hands on the database. Meyers downplayed the severity, saying “we looked at it and thought it was a very minimal issue.”
It’s worth noting, however, that he also vehemently denied that any audio recordings were “stolen.” “Absolutely not,” Meyers replied when asked. That goes against what Hunt discovered. Files were definitely exposed and able to be downloaded from the Amazon S3 storage utilized by CloudPets by anyone who had a valid link… and there were plenty of those listed in the database.
How Severe Is This Leak?
Looking at numbers alone, the CloudPets incident pales in comparison to the VTech breach that occurred in 2015. More than 6 million user profiles were exposed with a huge number of those belonging to children. Circumstances were very different, however. Hunt says that only a handful of people ever saw that data, and it’s known who saw it.
While fewer than a million records are circulating as a result of the CloudPets database leak, the fact that the data was left wide open, accessed repeatedly by countless unknown individuals, and contained links to actual audio recordings made by children makes CloudPets situation much more alarming.
Compounding the problem is the fact that no one involved bothered to acknowledge the breach in a timely manner. Hunt and fellow researchers reached out to everyone they could think of to contact and no one responded to emails or returned phone calls. It was only after reports started appearing online that Spiral Toys offered a response.
Where does this leave affected parents and children? When companies don’t step up in cases like this one, the government can get involved. The state of California can intervene because there are breach notification laws in place and Spiral Toys is based in California. And because the privacy of children has been compromised, the FTC can take enforcement actions as spelled out by COPPA.
As Hunt told me in an interview, this is “the realization of all fears with IoT (Internet of Things) toys.” Remember, parents: if it’s connected to the Internet, you can’t treat it like it’s just a child’s plaything. There are very real risks involved whenever data is uploaded to a server, even if it comes from a toy.