Cloudpets: Does your toy need its password changed?

Topic

New Reply

In the wake of concerns regarding the security of internet-connected toys, there has been a leak of data from Cloudpets, including 2.2 million audio recordings. Account details have also been compromised.

https://arstechnica.com/security/2017/02/creepy-iot-teddy-bear-leaks-2-million-parents-and-kids-voice-messages/

As a child, I was able to tell my teddy everything, and know it was just between the two of us. That no longer applies, where toys are part of the Internet of Things.

It serves as a reminder for all devices that connect to the internet, to change the password from the default, when you first get it (at least)!

1 user thanked author for this post.

Elly

Reply | Quote

Replies

I hope someone sues that company into oblivion. Not only was their security very poor or non-existent in many ways, but also I’m quite sure that parents aren’t even aware of the risks; they just think that this is the latest thing for their kids, everybody else has one, etc etc.

Imagine that your kid has one of these toys in the car, and the toy has tapped into your smart phone’s wifi hotspot. Anyone with access to the toy (on the other end of the connection) could listen in to everything that is said in the car.

“Smart” devices such as this shouldn’t even be allowed in the children’s market. But if they are, the company should be required to put in big print the implications and risks of such technology, so that parents have at least some idea of the risks involved.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

1 user thanked author for this post.

Elly

Reply | Quote

Advocacy Groups Call On Retailers to Halt Sale of CloudPets Toys
https://www.eff.org/deeplinks/2018/05/civil-liberties-and-child-advocacy-groups-call-retailers-halt-sale-cloudpets-toys

By Jason Kelley | May 28, 2018

 
Civil liberties and child advocacy organizations are calling on Walmart, Target, and Amazon to halt sales of CloudPets, stuffed toys that allow the recording and sharing of voice messages, until the manufacturer addresses known security breaches and vulnerabilities—including a critical flaw that allows someone within bluetooth range to eavesdrop on, and send messages to, users of the toy.

CloudPets may sound benign: stuffed unicorns, bears, monkeys, and other animals that double as voice messaging platforms, allowing children, parents, or friends of children to send recorded messages to and from each other via the toys. But the manufacturer, Spiral Toys, has a track record of failing to protect consumers—and those most likely to fall victim to these vulnerabilities, children. Researchers and others have contacted the toymaker about several flaws, but many of these concerns have gone unheeded.

Read the letter from the coalition asking retailers to halt sales of CloudPets.

The letter points out three major areas of concern:

Data breach: Researchers found that CloudPets users’ data was accessed multiple times by unauthorized parties and held for ransom—and the company was not responsive, at first, to reports of the problem. This impacted over 800,000 families.
Spying capabilities: On February 28th, 2017, it was discovered that individuals within Bluetooth range (30 meters) can connect to, record audio from, and send messages to CloudPets through a third party interface. It’s been a year—and guides to do this are easily found online. Spiral Toys has yet to implement authentication techniques to resolve this incredibly dangerous security flaw.
Phishing risks: Spiral Toys, the maker of CloudPets, allowed their tutorial domain, mycloudpets.com/tour, to lapse, and it now has the potential to be used in phishing attacks against consumers.

In the letter, the coalition writes,

“What CloudPets demonstrates is the potential privacy risks that even a toy with limited connectivity can pose. More importantly, it also shows how these toys are entry points for companies to generate a consumer base from children for other digital products in the future. That’s why it’s so critical that privacy and security be at the forefront of makers’ minds.”

Signers including EFF, Campaign for Commercial Free Childhood, Center for Democracy and Technology, and Consumer Federation of America are asking the retailers to immediately pause the sale of CloudPets, and to work together with us on other proactive, positive steps that to protect customer safety, security, and privacy. As Internet-connected devices become more common, security practices that protect the users of even those devices with limited connectivity must become common as well. That these devices are sold for children is yet another reason to insist that privacy and security be at the forefront of makers’—and retailers’—minds.

 
Reproduced in full (under CCAL)

1 user thanked author for this post.

Elly

Reply | Quote

IoT CloudPets in the doghouse after damning security audit: Now Amazon bans sales
Self-appointed privacy paladin Mozilla points out fatal flaws

By Thomas Claburn | 6 Jun 2018

 
Amazon on Tuesday stopped selling CloudPets, a network-connected family of toys, in response to security and privacy concerns sounded by browser maker and internet community advocate Mozilla.

The move follows similar actions taken by Walmart and Target last week. And other sellers of the toy are said to be considering similar action. Amazon did not immediately respond to a request for comment but CloudPets have vanished from its website.

 
Read the full article here

1 user thanked author for this post.

Elly

Reply | Quote