Back in 2015 we reported on the possible vulnerabilities in the IoT web-connected Hello Barbie doll, and the possibility of privacy and security breaches from the cloud stored communications of children.  Two weeks ago Germany banned the interactive Cayla doll from stores and issued warnings to parents that had purchased it.  The Cayla doll was found to be insecure and violated Germany’s laws against concealed surveillance devices.

Not Your Average (G.I.) Joe

On Monday it was announced that these concerns were again realized by recent attacks against CloudPets plush animals.  CloudPets allows parents to utilize a smartphone app to leave messages for their children on the plush toy, and children can send messages to their parents in return.  Profile data such as email addresses and passwords were all stored on an unsecured MongoDB; in fact, it was so insecure that it had neither password nor firewall protection.  While the account passwords were hashed, they were easily cracked as many were as simple as “cloudpets” or “1234567”.  The actual messages were found to be stored on an Amazon server that didn’t require authentication either, and all an attacker had to do was guess or slightly change the URL to gain access to the recordings.

During the writing of this blog, more appalling data was discovered about the vulnerabilities of the CloudPets.  Anyone within Bluetooth range is able to connect to the plush and record what it is hearing at the time, or upload a message of any nature for it to play to the child.  It essentially could turn the toy in to an eavesdropping device in your home.

Security researchers had been attempting to contact the makers of CloudPets unsuccessfully, and the data breach has been exposed online since at least late last year.  As of this writing though, the toy maker hasn’t responded or addressed the issue.  If your child owns one of these toys, you should probably consider changing your account password and the passwords of any other accounts that may have used the same password (like your bank), and turn the device off until this issue is resolved.

As IoT becomes more commonplace across items in our homes, consumers need to demand better security from the manufacturers.  Breaches like this also demonstrate why it’s not recommended to use the same password across multiple sites, and to use a complex password on every account with which you connect to the internet.  Also make sure to discuss these issues and breaches with your non-technical friends who may not realize the dangers of the toy sitting in their living room.  If you still want a toy that can play messages to your children, there are still Teddy Ruxpin dolls available on EBay that are secure from hacking.

Sources:
https://www.social-engineer.org/general-blog/hello-barbie-the-doll-that-really-listens-2/
https://www.bundesnetzagentur.de/SharedDocs/Pressemitteilungen/EN/2017/17022017_cayla.html
https://www.nytimes.com/2017/02/17/technology/cayla-talking-doll-hackers.html
https://motherboard.vice.com/en_us/article/internet-of-things-teddy-bear-leaked-2-million-parent-and-kids-message-recordings
https://motherboard.vice.com/en_us/article/qkm48b/how-this-internet-of-things-teddy-bear-can-be-remotely-turned-into-a-spy-device