A smart teddy bear has leaked the voice messages of millions of parents and children.
We have talked a lot about the Internet of Things, and how it can be dangerous if it is not done well; the problem is almost always the same, the devices have security holes that are never closed.
Holes that hackers can take advantage of to get personal information, or even to turn devices into zombies at your command to make DDOS attacks.
Smart plush toy, but not sure
We are not just talking about thermostats or cameras; More and more toys are connecting to the Internet that are vulnerable.
800,000 CloudPets owners have found out the hard way; a smart teddy bear that promises a message you can embrace.
It is a simple but very curious idea. The stuffed animal can connect to the Internet to send and receive voice messages, which it plays with the built-in speaker; Parents can send messages from the app for iOS and Android, and in this way the child will not feel so alone.
It all sounds very nice, until it is discovered that Spiral Toys, the company behind the CloudPets, has no idea of security: left the database with the emails and passwords of the 800,000 users unprotected.
In effect, the MongoDB database was on the company server, and it was possible to access it without any type of password or firewall; You don’t even have to be a hacker to get data this way, just use a search engine.
In this case, the search engine used was Shodan, specialized in finding unprotected pages and databases; It is something like the Google of those who seek private data.
Database and recorded messages outdoors
The only positive thing of all is that passwords were encrypted with the bcrypt function, which is more difficult to crack than others; But that doesn’t do much good if the passwords are easy to guess.
In other words, during the user registration the Spiral Toys app accepted too short, simple and easy to guess passwords, like 123456 or qwe.
Not only that, but it was also discovered that two million recordings of parents and children were saved in Amazon S3 without password.
During the time the database was exposed, it is known that at least two security experts found it, and an unknown number of attackers.
According to the experts, the Spiral Toys database was overwritten twice while being investigated; probably because the attackers copied it and deleted it to kidnap it in exchange for a sum. Finally, on January 12 the database was completely deleted. Neither CloudPets nor Spiral Toys have made any statements.