IoT Strikes Again As Connected Teddy Bear Leaks 2 Million Recordings and Passwords

cageymaru

Fully [H]
Joined
Apr 10, 2003
Messages
20,408
IoT connected devices just can't get out of their own way when it comes to internet security. A stuffed animal called Cloudpets that allows you to record conversations and send them to others has been coerced into giving out 2 million recordings along with 800,000 email addresses and passwords allegedly. Spiral Toys is the company behind the teddy bear and supposedly hasn't even been bothered enough to tell it's customers about the security breach.

Is it a security breach if there was never security installed in the first place? The servers holding the recordings and passwords were freely open for hackers to scan and pillage for months as it was alleged that there was no password or firewall installed on the servers. The passwords that parents set could be as short as three letters, so the strong encryption on the email and password files was useless in many cases. Hackers have allegedly deleted the database twice and hold the data in lieu of a ransom payment.

The voice messages themselves were not in the database, according to the researchers. But Hunt found out that they were stored in an Amazon S3 bucket that doesn't require authentication. So as long as hackers could guess the URL of the files, they could listen to the messages. Hunt said he believes that was definitely possible. Moreover, many customers used incredibly weak passwords such as 123456 or "cloudpets," (in part probably because the app allowed users to create accounts even with as short a password as "qwe," as this video shows), making it trivial to log into their accounts and listen to the saved messages.

To make matters worse, the data was exposed two months ago, and since then, the company hasn't notified the victims, nor disclosed the breach.
 

Dead Parrot

2[H]4U
Joined
Mar 4, 2013
Messages
2,831
If the total lack of security proves true, company officials should be charged with one count of violating the Child Privacy Protection Act for each account created for a toy. Officials charged should include the Board of Directors since one of their primary charges is to ensure the company meets basic legal obligations. Not providing any security removes any claim that the company did its due diligence.

Don't know how many toys were sold but several thousand or hundreds of thousands of charges should as an incentive for officials of other companies to improve security and privacy.

The criminal charges could be brought regardless of whether the company files bankruptcy.
 

gxp500

Gawd
Joined
Mar 4, 2015
Messages
865
Officials charged should include the Board of Directors since one of their primary charges is to ensure the company meets basic legal obligations.
If the bumblefucks who couldn't secure opm didn't get charged what makes you think some toy company will?
 

Dead Parrot

2[H]4U
Joined
Mar 4, 2013
Messages
2,831
If the bumblefucks who couldn't secure opm didn't get charged what makes you think some toy company will?

Should != will be. Most officials in government are mostly clueless to the risks things like this represent. When I asked my Congress critter about personal privacy and online security during a town hall, got a deer in headlight look. If it doesn't involve Russian or Chinese state hacking involvement or billions of dollars of seizeable assets, pretty well off the radar.
 

Gigus Fire

2[H]4U
Joined
Oct 14, 2004
Messages
2,275
There needs to be harsher consequences for this type of greed and incompetence
Maybe one day people will smarten up and just not buy this crap. The best consequence would be going out of business because of stupid product decisions.
 

Krazy925

Supreme [H]ardness
Joined
Sep 29, 2012
Messages
5,483
Has anyone cruised over to the company website?
No mention of the hack. Although the most recent blog post I saw was from 2015. Apparently tech illiterates can make a IoT teddy bear. It'll be interesting to see if this gets people's attentions. People care about kids and not exposing them.
 

Dekoth-E-

Supreme [H]ardness
Joined
Mar 23, 2010
Messages
7,599
Yet everyone gets angry and calls me a luddite for not wanting internet connected devices with recording equipment that don't need it. Funny how all this stuff keeps happening on these devices. Guess I'm not such a paranoid dumbass for not trusting manufacturers to not be incompetent, greedy assholes.
 

Krazy925

Supreme [H]ardness
Joined
Sep 29, 2012
Messages
5,483
Yet everyone gets angry and calls me a luddite for not wanting internet connected devices with recording equipment that don't need it. Funny how all this stuff keeps happening on these devices. Guess I'm not such a paranoid dumbass for not trusting manufacturers to not be incompetent, greedy assholes.
You're a Luddite :ROFLMAO:
 

TheGeekFreek

Supreme [H]ardness
Joined
Mar 31, 2005
Messages
7,900
I hope this company burns to the ground..

Mother in law got one of these for my kiddo for christmas. Requires an app to use that they give you for 'free' but its so god awful and full of ads you have to pay an extra 5$ just to make it not suck fat wang.
I got my notice last night from Pwnzored about this and I will for sure be one on the private lawsuit train.
 

rgMekanic

[H]ard|News
Joined
May 13, 2013
Messages
5,480
Everytime I see stuff like this, I just think.... this is the shit Intel wants to invest in and not desktop cpu's...
 

thesmokingman

Supreme [H]ardness
Joined
Nov 22, 2008
Messages
6,617
lol Cloud Pets has not notified the affected users breaking some laws possibly with regard to reporting time limitations.
 

PaulP

Gawd
Joined
Oct 31, 2016
Messages
776
This why we need some sort of certification agency for these types of products, kind of like Underwriters Laboratory.
 
Top