Internet-connected devices can pose a serious risk if cybersecurity is not handled correctly. On 27 February, one US-based company found out the hard way after a months-long investigation uncovered a serious data breach involving smart teddy bears impacting hundreds of thousands of people.
The company is called CloudPets, a brand owned by Spiral Toys. According to its website, it sells internet-connected soft toys that transmit voice recordings via the cloud between parents and children. "It's a message you can hug," its motto states.
What information was leaked?
According to Troy Hunt, the security researcher who worked to disclose the breach, consisted of at least 821,000 records and 2,182,337 voice recordings. It was obtained in two separate databases – titled "cloudpets-staging" and "cloudpets-test" – each at roughly 10GB in size.
How was the data exposed?
The leaked cache of data was being stored in a public-facing database without any password protection. Researchers (and likely cybercriminals) discovered the CloudPets data in the wild while combing through Shodan, a sort of search engine for IoT devices.
How long was the information exposed?
While exact times and dates remain somewhat unclear, experts suggest the sensitive data was exposed between 25 December and 7 January. The situation become more complicated here after a hacker reportedly obtained the database and held it for ransom.
Held it for what now?
Yes, indeed, the CloudPets database was found by more than helpful researchers. On 7 January, Hunt said the original copies were deleted and replaced with a note reading: 'Pwned, secure your stuff silly'. This is an increasingly popular way crafty cybercriminals are making money.
At least the passwords were secure, right?
No not really. While it used encryption (bcrypt) to keep credentials hidden, it failed to implement any worthwhile security rules around making passwords. Researchers quickly deciphered them, with some including '123456', 'qwe' and 'cloudpets'. Yes, that's a three-digit password right there.
How can I check if my email is compromised?
Luckily, Hunt is more than your average security researcher. He also manages a breach notification website called HaveIBeenPwned, which lets you quickly and easily check if you credentials were in a listed data breach. The CloudPets data has now been loaded into the service.
But the company responded quickly, yeah?
No, not really. The researchers, including Hunt, Shodan expert Niall Merrigan and Vice Motherboard, found it impossible to contact the company for over a month, trying phonecalls, emails, private email addresses and support tickets. Only after the leak was exposed did it respond publicly.
Great, so CloudPets is sorry, surely?
No, not really. "The headlines that say two million messages were leaked on the internet are completely false," Mark Myers, CEO of the company told Network World in a statement. Rather shockingly, he added: "We looked at it and thought it was a very minimal issue."
What does Troy Hunt say about that?
"Scanning for this sort of thing is enormously prevalent and that data – including the kids' and parents' intimate audio clips – is now in the hands of an untold number of people," he said in a blog post. One message he found stated: "Hello mommy and daddy, I love you so much."
Is this cyberattack unprecedented?
Unfortunately not. Recently, Germany banned an IoT-connected children's doll called My Friend Cayla amid fears it could be used as a surveillance tool. Meanwhile, in 2015, Hong Kong firm V-Tech was implicated in a huge data breach that impacted over six million people.