Skip to main content

Connected CloudPets teddy bears blab on owners, leak 2 million voice recordings

Amazon, Walmart, and Target are no longer selling CloudPets

Cloud Pets As Seen On TV Commercial

Remember when the worst thing that could happen to your doll was it losing an eye? How times have changed.

In the latest toy scandal (yes, those are a thing now), a connected teddy bear leaked the voice recordings of more than 2 million children and parents, along with email addresses and password information associated with more than 800,000 accounts. As first reported by Troy Hunt in a blog post published in late February, Spiral Toys, the company behind the CloudPets line of stuffed animals, left a whole lot of user data vulnerable to attack. Now, those toys have been pulled from a number of retailers, including Amazon, Walmart, and Target.

Amazon began taking down CloudPets from its online marketplace after being contacted by Mozilla, which offered research that highlighted the potential dangers of the child’s toy.

“In a world where data leaks are becoming more routine and products like CloudPets still sit on store shelves, I’m increasingly worried about my kids’ privacy and security,” Ashley Boyd, Mozilla’s vice president of advocacy, said in a statement.

When it comes to CloudPets, it looks like that concern is well-placed. A few months ago, Hunt explained the vulnerability, writing in his blog post, “…in CloudPets’ case…data was stored in a MongoDB that was in a publicly facing network segment without any authentication required and had been indexed by Shodan (a popular search engine for finding connected things).” So what does that mean? In essence, customer data could be easily accessed by just about anyone, and accessed it was. Hunt noted that as per data from Shodan, between December 25 and January 8, customer data was looked into many times by many people, including by malicious parties who demanded ransom for the release of some of this data.

Worse still, it would appear that CloudPets was actually warned of this problem, with Hunt noting that a good samaritan had “tried to contact CloudPets three times to warn them about the exposure.” Unfortunately, the email address listed on the company’s support page bounced back, and subsequent attempts at contact went unanswered.

Sadly, Hunt said, this kind of willful ignorance seems to be rather commonplace, particularly in the realm of cybersecurity. “Time and time again, there are extensive delays or no response at all from the very people that should be the most interested in incidents like this,” he wrote. “If you run any sort of online service whatsoever, think about what’s involved in ensuring someone can report this sort of thing to you because this whole story could have had a very different outcome otherwise.”

Updated on June 5: Amazon, Walmart, and Target pulled CloudPets from stores. 

Editors' Recommendations

Proposed NICE standards promise more powerful smart cameras, no matter the brand
nice alliance shared smart camera infrastructure cloud with secure

Smart cameras are one step closer to a set of features not restricted by brand. The Network of Intelligent Camera Ecosystem (NICE) Alliance has released a draft of specifications and features for an upcoming system that would allow smart cameras to expand real-time analytics and communicate with other cameras, no matter the brand. The alliance is looking for feedback on the specifications before launching a final version in mid-2019.

The NICE Alliance does for smart cameras what Android does for smartphones -- creates a set of standards that allows cameras from competing brands to run the same apps. But the NICE Alliance goes further to create a standard for smart cameras that would also allow for shared cloud processing and shared artificial intelligence algorithms, as well as the possibility of sharing apps. 

Read more
Who should fix Internet of Things cybersecurity? Congress takes a crack at it
Cybersecurity is a constant battle.

The U.S. Congress is turning its attention to the Internet of Things (IoT), meaning all those nifty networked devices like door locks, security cameras, nanny cams and kitchen appliances — in other words, all those shiny gizmos that we write about here in the Smart Home section and that many of you already have in your house.

Guess what? There are currently no security standards whatsoever that manufacturers are mandated to follow. Congress is looking to change that by introducing a bill next week called The Internet of Things Cybersecurity Improvement Act. It was stewarded into the Senate by Senators Mark Warner, Cory Gardner, Maggie Hassan and Steve Daines; Representatives Robin Kelly and Will Hurd introduced the legislation in the House.

Read more
Consumer groups call out retailers in a bid for better IoT security
lowes presidents day deals on dyson nest and samsung outdoor cam digital wired security camera with night vision 3

The past weeks have seen an explosion of talks about consumer privacy, particularly in the field of smart home technology. After a string of Nest camera hacks, consumer groups began to put plans in action to prevent further incidents from happening -- and in the process, found just how dire the state of smart home security is. Although multiple requests have been made to manufacturers to strengthen their digital security, few have followed through or implemented helpful plans. In turn, privacy advocates have turned to a different tactic: shaming retailers that sell insecure devices.

Eleven different groups including the Mozilla Foundation, the Center for Democracy and Technology, and The Internet Society posted a "Dear Retailer" letter on February 12 titled, "This Valentine's Day all we want is products that meet minimum security standards." When polite requests don't work, perhaps public shaming is the way to go.

Read more