Two million recordings of families imperiled by cloud-connected toys' crappy MongoDB
Updated Two million voice recordings of kids and their families were exposed online and repeatedly held to ransom – because an IoT stuffed-toy maker used an insecure MongoDB installation.
Essentially, the $40 cuddly CloudPets feature builtin microphones and speakers, and connect to the internet via an iOS or Android app on a nearby smartphone or tablet. Families can use the fake animals to exchange voice messages between their children, friends, and relatives.
These voice clips, along with records of 820,000 CloudPets.com accounts associated with the each of the toys, have been left wide open on the internet, with no password protection – allowing gigabytes of sensitive material to potentially fall into the hands of criminals. And it's all due to the company's poorly secured NoSQL database holding 10GB of this internal information.
It appears crooks found the database, presumably by scanning the public 'net for insecure MongoDB installations, took a copy of all the data, deleted that data on the server, and left a note demanding payment for the safe return of a copy of the database. This happened three times, we're told. Copies of data lifted from the CloudPets system has been passed between underground hacking groups, too, apparently.CloudPets kind of sort of denies this in a non-denial sort of way in the update. Unimpressive.
But wait, it gets worse! CloudPets' woes worsen: Web pages can turn kids' stuffed toys into creepy audio bugs:
Basically, it is possible for a webpage to connect to CloudPets plushie, via Bluetooth in the computer or handheld viewing the page, without any authentication, and start controlling the gadget and recording from its builtin microphone. You can also play sounds through it. Here's an example of such a webpage that can take over a CloudPets gizmo; the browser opening the page has to be within Bluetooth range of the CloudPets toy for it to work. You must also allow the browser to pair with the cuddly electronics.Other than that, it's totes secure and fine for your little Princess to play with, amirite?
It is possible, for example, to use this API, with CloudPets' insecure implementation, to snoop on families from outside their house, or from the other side of a wall. Just pull out your phone, open the webpage, agree to pair it with the nearby toy, and listen in.
My recommendations is to use these toys for a higher purpose - teaching your little Princess marksmanship.