SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
2 Mar 2017

After breach, researcher reveals ​CloudPets toy can be used to spy on kids

More bad news for toymaker Spiral Toys, which left customer data from its "CloudPets" brand exposed online.

An internet-connected teddy bear that allows parents and kids to exchange heartfelt audio messages sounds like a great idea — until the parents' emails and passwords, as well as the message recordings themselves, are left exposed online to hackers.

That's what happened to an Internet of Things teddy bear made by Spiral Toys, as expert reported on Monday. The company left a database containing customer data completely insecure. And as it turns out, the teddy bears themselves, part of the company's CloudPets brand, were insecure too, and could have been easily hacked. "Anyone within range—10 meters with a normal smartphone—can just connect to it," Paul Stone, a security researcher who studied how CloudPets' toys work, told in an email. "Once you're connected you can send and receive commands and data."

In other words, the teddy bears could be turned into a remote surveillance devices, or used to harass toddlers much like some insecure baby monitors were used to terrorize toddlers children in the past. Stone, a researcher with the UK-based security firm Context, said the CloudPets' toys don't use any standard Bluetooth security features such as pairing encryption, when communicating back to their owner's smartphone's app. Anyone within range, Stone said, can connect to the toy, upload a message to the toy, "silently" trigger the toy's recording functionality, and "download the audio that the toy has recorded.

So if you have a smartphone with Bluetooth you can just connect to it and start sending audio messages to it. You don't even need to be within 10 meters (approximately 32 feet) if you use a directional antenna, according to Stone. "Someone standing outside your house could easily connect to the toy, upload audio recordings, and receive audio from the microphone," Stone wrote in a blog post explaining his findings on Tuesday. The researcher showed how he made the toy play whatever message he wanted in a video.

"Exterminate, annihilate, destroy," the unicorn-shaped pet toy says in the video. To be fair, Stone said these toys are not "the perfect bugging device" because one can only record five messages of 40 seconds of audio with them, and you have to be within Bluetooth range. But it might be possible to change the time limit because the toys' firmware is not signed or encrypted so it can be overwritten by anyone, according to Stone.

"It would be possible to modify the firmware to make it into a better spying device," Stone told me. The researcher said he had made multiple attempts to warn Spiral Toys of these issues since October, but didn't receive a response. I myself have had trouble talking to anyone at the company, including its CEO Mark Meyers, whom I called and messaged on Linkedin.

Calls to the company's telephone numbers also went unanswered, and so did emails to its public addresses. Meyers denied the data breach, he also said he saw our attempts to get comment, but he never reached back because "you don't respond to some random person about a data breach."

Tags:
surveillance Internet of Things
Source:
Mothrboard
2014
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015