Internet-connected teddy bears manufactured by toy maker Spiral Toys have leaked the email addresses and password details of more than 800,000 customers online.
The leak, which was exposed in a blog post by Troy Hunt, manager of breach notification website Have I Been Pwned?, also includes more than 2 million voice recordings between children and their parents, shared over the Internet via teddy bears known as CloudPets.
According to Hunt, between Christmas Day 2016 and January 8 2017, the data was easily searchable through the Shodan search engine for finding connected things, allowing numerous parties, including criminals, to access the data and hold certain parties to ransom.
The 821,296 account records had been stored on a MongoDB database, which was not protected by a firewall or password, and stored with Romanian mobile development company, mReady. The voice recordings, on the other hand, were linked to an Amazon S3 cloud storage bucket, which again required no specific authorization.
To make matters worse, Hunt revealed that at least four attempts to warn Spiral Toys about the serious security vulnerability in the teddy bears drew no response.
“It’s impossible to believe that CloudPets (or mReady) did not know that firstly, the databases had been left publicly exposed and secondly, that malicious parties had accessed them,” Hunt wrote.
“Obviously, they’ve changed the security profile of the system and you simply could not have overlooked the fact that a ransom had been left. So both the exposed database and intrusion by those demanding the ransom must have been identified yet this story never made the headlines.”
The perils of IoT
This is yet another instance which exposes the distinct lack of security in IoT devices. We’ve already seen some of the most banal objects like vending machines used to bring down networks, and yet security appears to remain an afterthought in these devices.
Using IoT devices to bring down a website is one thing, but allowing criminals to access messages sent by children is disturbing.
Hunt was moved to write that parents “must assume data like this will end up in other peoples’ hands. Whether it’s the Cayla doll (hacked this month), the Barbie, the VTech tablets (hacked two years ago exposing personal data of 6.3 million children) or the CloudPets, assume breach.”
“It only takes one little mistake on behalf of the data custodian – such as misconfiguring the database security – and every single piece of data they hold on you and your family can be in the public domain in mere minutes.
“If you’re fine with your kids’ recordings ending up in unexpected places then so be it, but that’s the assumption you have to work on because there’s a very real chance it’ll happen,” he said.
“There’s no doubt whatsoever in my mind that there are many other connected toys out there with serious security vulnerabilities in the services that sit behind them. Inevitably, some would already have been compromised and the data taken without the knowledge of the manufacturer or parents.”
Ilia Kolochenko, CEO of web security firm High-Tech Bridge, summed the situation up well in an email to journalists.
“Such incidents are very frustrating, as it’s just a tip of the IoT iceberg,” he said. “Too many companies, unfamiliar with the basic principles of information security, have entered into the IoT manufacturing business, putting data and privacy of their customers at critical risk.”