IoT CloudPet toys hacked, possibly leaking voice messages

Spiral Toys says no voice recordings were leaked, but researcher disagrees

Connected toys have been hacked with childrens' voice recordings leaked and attackers leaving ransom notes in the targeted database but the company behind the stuffed animals has refused to admit it's done anything wrong.

CloudPets are stuffed animals with a web connection, letting children and parents record and send messages to each other the company describes the toys as "a message you can hug".

According to Troy Hunt the independent security researcher behind Have I been Pwned? some 800,000 login credentials have been leaked, with hackers targeting an unsecured MongoDB database that was searchable on Shodan, a search engine to find web-connected devices. The hackers allegedly deleted data and left behind ransom notes.

As Hunt notes: "CloudPets left their database exposed publicly to the web without so much as a password to protect it."

Advertisement - Article continues below
Advertisement - Article continues below

Hunt verified data sent to him as authentic, as he knew someone who had bought their daughter a CloudPet, so could check that person's login details against the leaked data.

The voice message files weren't stored in that database, but on Amazon Web Services with no authentication, though a hacker would have to guess the file names to access them. Hunt managed to access some messages after asking members of his Have I Been Pwned service, finding one message that simply said: "Hello mommy and daddy, I love you so much".

Perhaps most alarming about the story is the toy maker's response. The person who first sent Hunt the data tried to contact CloudPets' maker, Spiral Toys, in December on three separate occasions, getting no response. After his own attempt to make contact failed, Hunt turned to Motherboard journalist Lorenzo Franceschi-Bicchierai, in the hopes that media pressure would make the company secure the database. However, the journalist also failed to reach the company.

"Time and time again, there are extensive delays or no response at all from the very people that should be the most interested in incidents like this," said Hunt. "If you run any sort of online service whatsoever, think about what's involved in ensuring someone can report this sort of thing to you because this whole story could have had a very different outcome otherwise."

Since the story made headlines, Spiral Toys has released a statement, saying to Network World that voice recordings were "absolutely not" stolen, calling the leak "a very minimal issue".

Hunt has taken issue with that response."To suggest that the exposure and ransom of a database containing 821,000 user records and providing access to millions of voice recordings from and to children represents 'a very minimal issue' is just unfathomable." He also noted that Spiral Toys is based in California, which has mandatory breach reporting laws.

Advertisement - Article continues below

The story highlights the problems with connecting every little device, in particular children's toys with Germany earlier this month banning so-called smart doll Cayla over fears it could be targeted by hackers.

"It's not an isolated incident," noted Bryce Boland, FireEye's chief technology officer for Asia Pacific. "This isn't the first case of a toy manufacturer failing to protect their customers' information and it likely won't be the last. The fact is, a baby's crib is required to meet more rigorous safety standards and testing than connected devices like baby monitors or connected toys."

He added: "Consumers need to be aware that there will always be potential attack vectors in products connect[ed] to the internet, and if there's no evidence from the company they've taken steps to secure information, they probably haven't. In fact, even in cases where companies claim to have taken steps, we sometimes see they haven't adequately addressed threats."

Spiral Toys released a statement overnight through spokesperson Harold Chizick. It read: "Spiral Toys was notified about a potential breach on February 22 and took immediate and swift action to protect the privacy of our customers. When we were informed of the potential security breach we carried out an internal investigation and immediately invalidated all current customer passwords to ensure that no information could be accessed.

Advertisement - Article continues below

"To our best knowledge, we cannot detect any breach on our message and image data, as all data leaked was password encrypted. For the protection of our users we are now requiring users to choose new increased security passwords. An email will be sent out informing customers of the potential compromised login data and will give them a link to create a new password." 

He added: "The CloudPet services have been running safely since March 2015 and we are taking all steps necessary to continue to run safely on our production servers. We are committed to protecting our customer information and their privacy in order to ensure against any such incidents in the future.

Advertisement - Article continues below

"Once we have addressed our customers' needs and we document the incident, we will file the cyber-crime report with the State Attorney General in California. We will continue to post any updates on our website."

Hunt responded to this statement in his own blog, saying no passwords were encrypted, and pointing to a ZenDesk ticket that suggests Spiral Toys was actually told about the incident on 31 December. You can read his full response over here.

This story was originally published on 28 February, and was subsequently updated on 1 March 2017) to include Spiral Toys' comment, and Troy Hunt's response to that.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
Server & storage

Broadberry CyberServe R182-Z90 review: Gigabyte’s EPYC gamble pays off handsomely

7 Jan 2020
Microsoft Windows

Memes and Viking funerals: The internet reacts to the death of Windows 7

14 Jan 2020