Recorded messages spoken to teddy bears could pose privacy risks for children.
A security vulnerability allowed anyone to view personal information, photos and recordings of children’s voices from CloudPets toys. And at one point, some people tried to hold all of that information for ransom.
According to a report compiled by security researcher Troy Hunt, over 820,000 user accounts were exposed. That includes 2.2 million voice recordings.
“I suspect one of the things that will shock people is that they probably didn’t think through the fact that when you connect the teddy bear, your kids voices are sitting on an Amazon server,” Hunt said.
CloudPets toys connect to mobile apps and let parents and loved ones send messages to their children that are played through the stuffed animals. When you create an account with CloudPets, you give it your child’s name, an email address and a photo.
Like other toys that connect to the internet, CloudPets stores all that data in the cloud, not on your smartphone itself. The toys launched in 2015, and include stuffed bears, dogs, cats and rabbits.
But as Hunt and other investigators found, kids’ information was stored in an insecure database that didn’t require authentication to access it. As Hunt explained, it takes one mistake to expose this data — the error on the database was a bit like not having a pin on your smartphone.
This database was indexed by Shodan, which is a search engine for finding insecure devices connected to the internet. You can use it to see if popular devices (like toys) are leaking data — you can also use it to take advantage of insecure systems.
According to Hunt, that’s what happened. Someone deleted the data, and posted a ransom note: CloudPets would have to give the bad actors Bitcoin in order to get its data back. Instead, CloudPets likely restored the data from a backup.
The data is no longer publicly accessible. But CloudPets has not informed users of the leak, and as far as researchers know, the passwords are still active. This could be a violation of the law. In California, the government requires companies to notify users if their information was exposed online. CloudPets, and its maker Spiral Toys, are based in California.
It’s not the first security debacle for internet-connected toys. Hunt also discovered a flaw in VTech gadgets that leaked data on millions of parents and kids, and Germany recently told parents to trash Cayla dolls over hacking potential.
Concerned users tipped off Hunt to the CloudPets leak after their emails to the company went unreturned. Hunt worked with reporter Lorenzo Franceschi-Bicchierai of the tech site Motherboard to try and contact CloudPets to report the issue, but was unsuccessful.
Spiral Toys said no messages or images were compromised.
Hunt said parents should change their passwords if they reuse the CloudPets password anywhere else.
“Normally I would say get in touch with the company involved, but CloudPets is non-responsive,” Hunt said. “I almost think the advice here is to get in touch with local regulators and make a complaint about this.”