Connected teddy bears leaked kids' voices online

When Germany banned a connected doll over security concerns, it wasn’t being overly cautious. As it turns out, there’s a textbook example of what happens when toy data privacy goes horribly wrong. Security researchers have discovered that Spiral Toys’ internet-savvy teddy bears, CloudPets, stored kids’ voice messages to their parents (not to mention names and birthdays) in an insecure, misconfigured database that anyone could access online. While the passwords for the toys’ accounts (over 821,000 of them) were stored in a cryptographic hash, there was no password strength limit — it was trivial to crack many accounts and download voice data at will. And it gets worse.

Info security expert Niall Merrigan found evidence that the databases were compromised. Intruders copied the databases, deleted the originals and demanded a payment in bitcoin to get the data back. Given that the databases appeared to be completely gone by January 13th, it doesn’t appear that Spiral gave into or acknowledged the demands.

As for Spiral’s response? There is none, and might never be. Microsoft’s Troy Hunt and others have tried reaching out to Spiral multiple times to no avail, and the company doesn’t appear to have notified customers despite obvious signs that something was amiss. From all indications, the company is on life support or dead: its social media accounts have been silent for months, and its stock price is near worthless.

We’ve asked security experts for added insight. However, between this and revelations for other products, it’s already clear that connected toy makers are walking on glass when they decide to put kids’ communications online. Even if a company doesn’t do anything shady, such as passing the info along to irresponsible third-parties, it can only take a slip-up to expose extremely sensitive messages to the world. And that’s assuming skilled hackers don’t find it first, or that the company doesn’t go belly-up without a firm plan to erase stored data. This doesn’t mean that companies should abandon internet-capable toys altogether, but they need both weigh the merits of storing any info online and take very, very through precautions to make sure that incidents like this can’t happen.

Source: Troy Hunt, Niall Merrigan (Twitter)

Source: Engadget - Read the full article here

Author: Daily Tech Whip

This article is part of our 'News Tiles' service. The site is currently in Beta. When it is fully operational you will be able to search through and arrange the 'Tiles' to display a keyword, product or technology over your chosen time period. For example you would be able to display all of the leading tech articles on the new Kindle Fire, in one spot in real time. You will also have access to our own original reporting and analysis as well as a polished place to post your own thoughts & reviews here, amongst the Daily Tech Whip Community. Please let us know if you have any feedback via the contact form or via Twitter. Don't forget to come back next week and see our full site and claim your name and your own free tech blog.

Share This Post On