Web-connected teddy bear toys leak 2 million private voice messages and other private data
Tue 28 Feb 2017
In the latest scandal surrounding poor privacy settings for web-connected children’s toys, a manufacturer of ‘smart’ animal toys is revealed to have exposed over two million voice recordings of children and their families.
The exposure of the devices came to light in a search on Shodan, a search engine for IoT and network devices, rather than documents and web pages. The breach was revealed by security researcher Troy Hunt, who established that the data was accessed many times via Shodan and ultimately held for ransom by cyber-criminals.
The devices in question are included in Spiral Toys’ range of CloudPets, which are capable of recording and replaying user voice messages. The data is stored at Romanian storage provider mReady, and Hunt asserts that the manufacturer may have ignored three or more warnings about the vulnerability.
The data was stored in a MongoDB database without adequate authentication protocols, allowing Shodan to fully search and index it. Last week Hunt was sent data from approximately 583,000 records from the mReady DB – only a subset of the total data publicly available. His contact, who had originally identified the exposure, tried several times to alert the company, initially via WHOIS contact details, and then via Spiral Toys’ hosting provider.
‘Note the record count here – he’d identified “over 820k users” – the 583k in circulation was not the full amount. So 3 attempts to warn the organisation of a serious security vulnerability and not a single response. I’ve said many times before in many blog posts, public talks and workshops that one of the greatest difficulties I have in dealing with data breaches is getting a response from the organisation involved. Time and time again, there are extensive delays or no response at all from the very people that should be the most interested in incidents like this.’
Following up the data vulnerability with a Motherboard journalist, it transpired that he too had received shockingly transparent screenshots of the ‘Teddy Bear’ database:
At the time, the information had been disregarded in the high signal-to-noise ratio of security alerts, but now its validity was clear. The evidence showed 821, 296 accessible records, and access to 2,182,337 voice recordings, in both a staging and production environment. The fact that the staging environment was also available bespeaks an unprecedented break with standard security protocols.
Testing out the uploading procedures associated with the cloud-connected toys, Hunt discovered that the AWS-bucket-hosted service provided file access via a hard path returned by the app, and that personal information such as email addresses and profile photos were accessible too.
Though the database was protected by bcrypt hash, the password requirements were so minimal (‘a’ was a valid password) as to completely negate the security protocol; accounts could be hacked with ease and without special procedures or tools.
Later investigation of the access history of the MongoDB unearthed subsequent attempts by hackers, apparently based in India, to ransom purloined data for Bitcoin payments.
On January 13th the access window had been closed – but not before multiple malfeasant parties had apparently accessed and attempted to exploit or monetise the data in question.
Hunt added: ‘It’s impossible to believe that CloudPets (or mReady) did not know that firstly, the databases had been left publicly exposed and secondly, that malicious parties had accessed them. Obviously, they’ve changed the security profile of the system and you simply could not have overlooked the fact that a ransom had been left. So both the exposed database and intrusion by those demanding the ransom must have been identified yet this story never made the headlines.’