IoT CloudPet toys hacked, possibly leaking voice messages

Connected toys have been hacked with childrens' voice recordings leaked and attackers leaving ransom notes in the targeted database but the company behind the stuffed animals has refused to admit it's done anything wrong.

CloudPets are stuffed animals with a web connection, letting children and parents record and send messages to each other the company describes the toys as "a message you can hug".

According to Troy Hunt the independent security researcher behind Have I been Pwned? some 800,000 login credentials have been leaked, with hackers targeting an unsecured MongoDB database that was searchable on Shodan, a search engine to find web-connected devices. The hackers allegedly deleted data and left behind ransom notes.

As Hunt notes: "CloudPets left their database exposed publicly to the web without so much as a password to protect it."

Hunt verified data sent to him as authentic, as he knew someone who had bought their daughter a CloudPet, so could check that person's login details against the leaked data.

The voice message files weren't stored in that database, but on Amazon Web Services with no authentication, though a hacker would have to guess the file names to access them. Hunt managed to access some messages after asking members of his Have I Been Pwned service, finding one message that simply said: "Hello mommy and daddy, I love you so much".

Perhaps most alarming about the story is the toy maker's response. The person who first sent Hunt the data tried to contact CloudPets' maker, Spiral Toys, in December on three separate occasions, getting no response. After his own attempt to make contact failed, Hunt turned to Motherboard journalist Lorenzo Franceschi-Bicchierai, in the hopes that media pressure would make the company secure the database. However, the journalist also failed to reach the company.

"Time and time again, there are extensive delays or no response at all from the very people that should be the most interested in incidents like this," said Hunt. "If you run any sort of online service whatsoever, think about what's involved in ensuring someone can report this sort of thing to you because this whole story could have had a very different outcome otherwise."

Since the story made headlines, Spiral Toys has released a statement, saying to Network World that voice recordings were "absolutely not" stolen, calling the leak "a very minimal issue".

Hunt has taken issue with that response."To suggest that the exposure and ransom of a database containing 821,000 user records and providing access to millions of voice recordings from and to children represents 'a very minimal issue' is just unfathomable." He also noted that Spiral Toys is based in California, which has mandatory breach reporting laws.

The story highlights the problems with connecting every little device, in particular children's toys with Germany earlier this month banning so-called smart doll Cayla over fears it could be targeted by hackers.

"It's not an isolated incident," noted Bryce Boland, FireEye's chief technology officer for Asia Pacific. "This isn't the first case of a toy manufacturer failing to protect their customers' information and it likely won't be the last. The fact is, a baby's crib is required to meet more rigorous safety standards and testing than connected devices like baby monitors or connected toys."

He added: "Consumers need to be aware that there will always be potential attack vectors in products connect[ed] to the internet, and if there's no evidence from the company they've taken steps to secure information, they probably haven't. In fact, even in cases where companies claim to have taken steps, we sometimes see they haven't adequately addressed threats."

Spiral Toys released a statement overnight through spokesperson Harold Chizick. It read: "Spiral Toys was notified about a potential breach on February 22 and took immediate and swift action to protect the privacy of our customers. When we were informed of the potential security breach we carried out an internal investigation and immediately invalidated all current customer passwords to ensure that no information could be accessed.

"To our best knowledge, we cannot detect any breach on our message and image data, as all data leaked was password encrypted. For the protection of our users we are now requiring users to choose new increased security passwords. An email will be sent out informing customers of the potential compromised login data and will give them a link to create a new password."

He added: "The CloudPet services have been running safely since March 2015 and we are taking all steps necessary to continue to run safely on our production servers. We are committed to protecting our customer information and their privacy in order to ensure against any such incidents in the future.

"Once we have addressed our customers' needs and we document the incident, we will file the cyber-crime report with the State Attorney General in California. We will continue to post any updates on our website."

Hunt responded to this statement in his own blog, saying no passwords were encrypted, and pointing to a ZenDesk ticket that suggests Spiral Toys was actually told about the incident on 31 December. You can read his full response over here.

This story was originally published on 28 February, and was subsequently updated on 1 March 2017) to include Spiral Toys' comment, and Troy Hunt's response to that.