CloudPets IoT Toys Leaked and Ransomed, Exposing Kids' Voice Messages

"According to security researcher Troy Hunt, a series of web-connected, app-enabled toys called CloudPets have been hacked," reports Android Police. "The manufacturer's central database was reportedly compromised over several months after stunningly poor security, despite the attempts of many researchers and journalists to inform the manufacturer of the potential danger. Several ransom notes were left, demanding Bitcoin payments for the implied deletion of stolen data." From the report: CloudPets allow parents to record a message for their children on their phones, which then arrives on the Bluetooth connected stuffed toy and is played back. Kids can squeeze the stuffed animal's paw to record a message of their own, which is sent back to the phone app. The Android app has been downloaded over 100,000 times, though user reviews are poor, citing a difficult interface, frequent bugs, and annoying advertising. Hunt and the researchers he collaborated with found that the central database for CloudPets' voice messages and user info was stored on a public-facing MongoDB server, with only basic hashes protecting user addresses and passwords. The same database apparently connected to the stored voice messages that could be retrieved by the apps and toys. Easy access and poor password requirements may have resulted in unauthorized access to a large number of accounts. The database was finally removed from the publicly accessible server in January, but not before demands for ransom were left.

Re:Strict liability for writing code? It's coming

[lucasnate1]

While I agree with you, I think it's unfair to always put the blame on the programmer. In many companies that I worked for I remember seeing things that looked like this, I talked with my managers about fixing it, and they said "it is lower priority".

Re: Strict liability for writing code? It's coming

Turns out it doesn't.

I worked for a company with shit security practices. I put my foot down. Was almost fired for it. Had I not had and proven major exploits that would have put them out of business they would have fired me.

Yes, someone wrote that shit. Someone horribly unqualified to do the job they were hired to do. And then every person that came behind them wasn't given the time to fix it and shit got bolted on shit.

Also, this company literally handles children's personal info.

As soon as shit was fixed to my satisfaction, I was let go.

I couldn't be held responsible for having touched some of it before, or even after fixing it. Liability doesn't work that way (at least in Canada) it's 100% on the business.

To be clear. Management is to blame. Management is liable. For having allowed shit work to happen, and for allowing shit work to stay around.

Software developers have no right to say 'no' as engineers do. And I agree. It should be a regulated profession. Its not. Sometimes food for their families is more important than the moral high ground.