‘Smart’ Teddy bears hacked, 2mn private recordings leaked, children at risk

‘Smart’ Teddy bears hacked, 2mn private recordings leaked, children at risk
Spiral Toys, the company behind the CloudPets ‘smart’ teddy bears, left data of up to 800,000 customers, including two million individual recordings, unprotected on their servers for anyone to listen in on or view.

"It only takes one little mistake on behalf of the data custodian [...] and every single piece of data they hold on you and your family can be in the public domain in mere minutes," Troy Hunt, a security researcher, wrote about the incident.

The data was stored on an open-source MongoDB database and was easily searchable for over a year, from Christmas 2015 until at least early January 2017, using the Shodan tool, a search engine for connected devices which also flags unprotected websites and data.

Among the data were emails and passwords, which were fortified using a particularly tough code to crack, a hashing function known as bcrypt which is the default option in many open source platforms including the Linux operating system.

However, given the weakness of so many of the base passwords (‘123456,’ ‘cloudpets’ and even ‘qwe’ as examples), even the extra security measures were insufficient to protect customer information.

According to cyber security researchers, cited by Motherboard, CloudPets’ data was overwritten twice since the start of January 2017.

While the Internet of Things was hailed as a new era of interconnectivity and technological innovation, it has proved remarkably easy to repeatedly hack despite security upgrades and improvements. One bold hacker even created a form of online roulette with strangers’ sensitive data.

This isn’t the first time such devices have raised alarm in the past year, as authorities in Germany called on parents to destroy internet-connected dolls that could potentially be hacked. While they managed to get ahead of any possible breaches, it once again highlighted the inherent vulnerability and wishful thinking that has plagued a genuine global embrace of the IoT.

Toymaker VTech was also hacked late in 2016, losing the personal data of millions of parents and children, including selfies and private messages.

Spiral Toys has not made any official statement on the breach, nor has it notified affected customers and appears to be in financial difficulties at present, if their share price is any indication.

This latest breach certainly won’t be the last it seems, and security measures within the Internet of Things have a great deal of ground to make up if they are to defend against online prying eyes.

"My bigger concern is that someone may be able to use this information to send inappropriate messages to my 6 year old daughter," Jason Pagel, a student of security expert Try Hunt, told Motherboard via email.