On 28 February, cybersecurity expert Troy Hunt reported that data from thousands of Spiral Toys customer accounts had been leaked online. Spiral Toys, a California-based company, sells connected CloudPets teddy bears, which can play remotely recorded voice messages to children. The database used to store account data and voice messages was completely unprotected: more than 2 million audio messages and 821,000 user records had been exposed on the Internet.
Connected toys: miniature Trojan horses?
The CloudPets data leak is not the first to affect the toy industry. Back in November 2015, the Hong Kong digital toymaker VTech announced that hacked data had been stolen from more than 10 million accounts. This data included children’s photos and the contents of chat sessions.
Several other connected toys have been criticised or prohibited for inadequate security. Cayla dolls, for example, were banned in Germany last month. German authorities even advised parents who had bought these dolls to destroy them. In December 2015, a number of cybersecurity researchers condemned Mattel for the inadequate security of Hello Barbie dolls. According to reports, these dolls, which used microphones and voice recognition technology, were too easily hacked. The CloudPets hack is yet another test challenging the security of connected toys.
A MongoDB left exposed to hackers
Spiral Toys teddy bears allow parents to communicate with their children using the Cloud. A mobile application records parents’ messages, which are then stored online in a MongoDB before being redirected to the children’s toys.
The CloudPets database has been listed on Shodan – a freely accessible search engine indexing connected devices – since 25 December 2016. The database was probably incorrectly configured, leaving it completely unprotected.
Worryingly, since early January, hackers have increasingly targeted open MongoDB databases, taking them over and forcing owners to pay ransoms to regain control of their data. The CloudPets database appears to have been one of the victims of this wave of attacks, as seen in the database name changes on 7 and 8 January 2017: “README_MISSING_DATABASES” and “PWNED_SECURE_YOUR_STUFF_SILLY”. However, Spiral Toys never reported that its data was compromised. This information may have been copied and sold on the Dark Web. Stolen audio files may also have been used to demand ransoms.
The Internet of Things, an El Dorado for hackers
This data leak clearly shows the vulnerability of connected devices. While these toys may offer new ways of communicating with children, they can also be used to target the families who own them. As the CloudPets situation shows, security breaches allow hackers to listen in on, steal and reuse personal conversations.
Authorities like Germany’s Bundesnetzagentur face a major challenge: protecting the owners of toys that present privacy risks. Last March, the Consumer Protection Cooperation Network, which brings together consumer protection authorities throughout Europe, met with personal data protection authorities in several European countries to discuss the risks of connected toys. Lawmakers have a close eye on our children’s new best friends…