… Now I know the average parent spends a good deal their time on Facebook and other “look at me .. look at me” social media and can care less about such hard to understand things like I.T. Security.
BUT THESE ARE YOUR CHILDREN AND YOU NEED TO PROTECT THEM!
…sorry, as a parent, this stuff makes my blood boil. Look parents, you scour the pedophile databases for your neighborhood, but leave the barn door open on the Internet. If you think governmental entities are going to protect you, you are only fooling yourselves. Companies peddling these things are about making the maximum amount of money at the lowest possible cost. They will **NOT** invest in expensive and complex security. Why? they do not have to. By the time the breach is discovered, they have made there millions. And there is absolutely no teeth in any governmental mandates op provide security such that any really exist in the first place.
Ok, on with the story!
The personal information of more than half a million people who bought internet-connected fluffy animals has been compromised.
The details, which include email addresses and passwords, were leaked along with access to profile pictures and more than 2m voice recordings of children and adults who had used the CloudPets stuffed toys.
The US company’s toys can connect over Bluetooth to an app to allow a parent to upload or download audio messages for their child.
Of course the company denied it and shot at the messenger
CloudPets’s chief executive, Mark Myers, denied that voice recordings were stolen in a statement to NetworkWorld magazine. “Were voice recordings stolen? Absolutely not.” He added: “The headlines that say 2m messages were leaked on the internet are completely false.” Myers also told NetworkWorld that when Motherboard raised the issue with CloudPets, “we looked at it and thought it was a very minimal issue”. Myers added that a hacker would only be able to access the sound recordings if they managed to guess the password. When the Guardian tried to contact Myers on Tuesday, emails to CloudPets’s official contact address were returned as undeliverable.
Troy Hunt, owner of data breach monitoring service Have I Been Pwned, drew attention to the breach, which he first became aware of in mid-February. At that point, more than half a million records were being traded online. Hunt’s own source had first attempted to contact CloudPets in late December, but also received no response. While the database had been connected to the internet, it had more than 800,000 user records in it, suggesting that the data dump Hunt received is just a fraction of the full information potentially stolen.
The personal information was contained in a database connected directly to the internet, with no usernames or passwords preventing any visitor from accessing all the data. A week after Hunt’s contact first attempted to alert CloudPets, the original databases were deleted, and a ransom demand was left, and a week after that, no remaining databases were publicly accessible. CloudPets has not notified users of the hack.
Hunt argues the security flaws should undercut the entire premise of connected toys. “It only takes one little mistake on behalf of the data custodian – such as misconfiguring the database security – and every single piece of data they hold on you and your family can be in the public domain in mere minutes.
“If you’re fine with your kids’ recordings ending up in unexpected places then so be it, but that’s the assumption you have to work on because there’s a very real chance it’ll happen. There’s no doubt whatsoever in my mind that there are many other connected toys out there with serious security vulnerabilities in the services that sit behind them. Inevitably, some would already have been compromised and the data taken without the knowledge of the manufacturer or parents.”
John Madelin, CEO at IT security experts RelianceACSN, echoes Hunt’s warnings. “Connected toys that are easily accessible by hackers are sinister. The CloudPets issue highlights the fact that manufacturers of connected devices really struggle to bake security in from the start. The 2.2m voice recordings were stored online, but not securely, along with email addresses and passwords of 800,000 users, this is unforgivable.” Source: Guardian Article Here
Now for the technical, here are some tid-bits from the researcher. Full article here
Clearly, CloudPets weren’t just ignoring my contact, they simply weren’t even reading their emails”
There are references to almost 2.2 million voice recordings of parents and their children exposed by databases that should never have contained production data.
But then I dug a little deeper and took a look at the mobile app:
This app communicates with a website at spiraltoys.s.mready.net which is on a domain owned by Romanian company named mReady. That URL is bound to a server with IP address 126.96.36.199, the exact same address the exposed databases were on. That’s a production website there too because it’s the one the mobile app is hitting so in other words, the test and staging databases along with the production website were all sitting on the one box. The most feasible explanation I can come up with for this is that one of those databases is being used for production purposes and the other non-production (a testing environment, for example).