A new large data leak was reported to be coming from a series of stuffed toys made by the Spiral Toys company – voice messages and account credentials.
The Hacker’s Stuffed Toys Prize – Voice Messages And Account Credentials
Security experts have announced the latest major leak. This time it isn’t a major company, school or service. In fact, more than 2 million recorded messages and account credentials were found to have leaked from stuffed toys. That’s right, the CloudPets line made by the Spiral Toys company has been the cause for the security issue. The account theft and the associated data were leaked online and subsequently reported by security researchers who monitor such incidents. Using publicly available means (The Shodan search engine and breach notification services) the experts were able to pinpoint that during the period December 25 2016 – January 8 2017 multiple parties were able to access the leaked data.
The recorded voice messages included both those made by children and their reports, they were available on an Amazon-hosted site which requires no authorization to access. The main feature of the toys are to record and play these messages which can be sent over the Internet. The database which holds the account credentials was held by a Romanian company called mReady.
As more and more toys get online thanks to IoT services (don’t forget the case with Standard Inonovation), so are the dangers of account theft and abuse. At least the passwords were encoded using the bcrypt hashing function. However CloudPets has implemented a very permissive policy which has allowed the customers to use short password or even single characters. This means that even when such features are implemented, it is still very easy to abuse the leaked accounts. There are several severe issues that are identified in this incident:
The database has been exposed publicly to the Internet without applying even the most basic authentication principles.
The number of affected customers is very large and the used password are probably shared with other services.
The manufacturer has not upheld even the most basic IoT security standards when implementing the Internet services in the toys.
As the toys are by themselves active Internet devices they can be abused for spying services. This is why end users should be very careful when purchasing and using any products that market themselves as being able to be connected to the Internet.