Recent concerns raised by a German think tank about smart toys serving as illegal surveillance tools were not far-fetched, as over 2 million personal voice messages exchanged between parents and their children were leaked online by a smart toy.
The hacker(s) who accessed the information made a copy of it, then wiped the server clean to hold the database for ransom.
The smart teddy bear created by Spiral Toys as part of their CloudPets line was used as a communication channel due to its microphone and speakers. The device is easy to use, only requiring an internet connection and a smartphone or tablet to install its app.
However, the customer database and recorded messages were stored in a MongoDB by mReady, a contractor based in Romania, and left public, instead of protected with a password or firewall, according to security researcher Troy Hunt. The database was indexed by Shodan, while the Amazon-hosted cloud used was also easy to access, as it didn’t require authorization.
“Due to there being absolutely no password strength requirements whatsoever, anyone with the data could crack a large number of passwords, log on to accounts and pull down the voice recordings,” Hunt writes. “The services sitting on top of the exposed database are able to point to the precise location of the profile pictures and voice recordings of children.
Customer accounts were accessed multiple times. It seems the vulnerabilities were detected in December and, since then, the manufacturer has been contacted four times, yet no reply was received. Hunt believes at least one of the two companies involved knew about the vulnerabilities and data breach.