CloudPets IoT Toys Leaked and Ransomed, Exposing Kids' Voice Messages

"According to security researcher Troy Hunt, a series of web-connected, app-enabled toys called CloudPets have been hacked," reports Android Police. "The manufacturer's central database was reportedly compromised over several months after stunningly poor security, despite the attempts of many researchers and journalists to inform the manufacturer of the potential danger. Several ransom notes were left, demanding Bitcoin payments for the implied deletion of stolen data." From the report: CloudPets allow parents to record a message for their children on their phones, which then arrives on the Bluetooth connected stuffed toy and is played back. Kids can squeeze the stuffed animal's paw to record a message of their own, which is sent back to the phone app. The Android app has been downloaded over 100,000 times, though user reviews are poor, citing a difficult interface, frequent bugs, and annoying advertising. Hunt and the researchers he collaborated with found that the central database for CloudPets' voice messages and user info was stored on a public-facing MongoDB server, with only basic hashes protecting user addresses and passwords. The same database apparently connected to the stored voice messages that could be retrieved by the apps and toys. Easy access and poor password requirements may have resulted in unauthorized access to a large number of accounts. The database was finally removed from the publicly accessible server in January, but not before demands for ransom were left.

Strict liability for writing code? It's coming

Build a bridge, and if it collapses due to poor design the engineers involved go to jail.

Build a crappy piece of software? No liability. That's going to end eventually.

You want to call yourself an "engineer"? Play by real engineering rules.

You're just a script kiddie with your Ruby? Tough.

Because eventually, if you implement something poorly like this, you will be liable.

If that scares you and makes you nervous, GOOD!!!!, because that means you're the type of clown-writing-code that needs to be held to higher standards.

Re:Strict liability for writing code? It's coming

[LordWabbit2]

Heh, while not exactly security related, I worked for a company who dealt in millions of transactions totaling billions in value. All this shoveled back and forth through IBM MQ.... with no transactions. Every now and then the server would up and die, and since it was multi threaded messages would get lost. I suggested switching on transactions to at least stop losing messages while we hunted down the reason for the server croaking, and was told NO. It would be too expensive (it was like 6 lines of code to actually implement) but the TESTING with all the clients would have cost them millions. So as far as I know they are still losing messages. Managements call, I left shortly after.