A database containing millions of voice recordings belonging to CloudPet owners has been compromised, security researchers have discovered.
Do you own a CloudPet? It’s the latest cloud-based toy craze that connects a cuddly toy to a smartphone or tablet in your house, which in turn connects to another far away smartphone/tablet, so kids and far away parents can keep in touch by sending voice messages to each other.
The voice messages are stored in “the cloud” (yes, which basically means the Internet, or rather on a storage server belonging to the CloudPet company) and are delivered to the recipient when they check for new messages.
However, cyber-crooks have exploited lax-security on the CloudPet storage servers to compromise all those stored voice recordings. A database containing links to millions of voice recordings was left exposed on the Internet.
According to CloudPets, the voice recordings themselves were protected with a password. However many passwords were weak (‘password’, ‘123456’ and ‘cloudpets’) meaning hackers could potentially use those weak passwords to unlock the exposed voice recordings.
It has been reported that many users who accessed the exposed databases demanded a ransom from CloudPets.
To make matters worse, another security investigation into the cuddly toys revealed that a security exploit could allow any nearby Bluetooth device to connect to and control a toy without any kind of authentication.
This is the latest case where cloud-connected toys have caused privacy and security woes. VTech and Mattell’s Barbie has all been compromised by cyber-crooks, and that was also down to poor security.
It also turns out concerned security researchers attempted to contact CloudPets a number of times since Christmas, but without success.
It’s the consequence of a much deeper problem. Toy companies competing in an extremely competitive market are rushing to make their toys “smart” by connecting them to “the cloud” (the Internet) but in doing so they are often overlooking fundamental privacy and security practises. After all, toy companies themselves are usually not well versed in Internet security and there is no sufficient industry standard that a toy company has to observe.
And until that time where toy companies are forced to conform to some security standard (or face severe fines for failing to) it is likely that cloud-based security breaches on toys will continue to occur.
If you’re a CloudPet customer, you’ve probably been forced to change your password. If you haven’t already (or if you’re using a weak password) change it immediately.