Slashdot Mirror

← Back to Stories (view on slashdot.org)

CloudPets IoT Toys Leaked and Ransomed, Exposing Kids' Voice Messages (androidpolice.com)

Posted by BeauHD on from the held-for-ransom dept.

"According to security researcher Troy Hunt, a series of web-connected, app-enabled toys called CloudPets have been hacked," reports Android Police. "The manufacturer's central database was reportedly compromised over several months after stunningly poor security, despite the attempts of many researchers and journalists to inform the manufacturer of the potential danger. Several ransom notes were left, demanding Bitcoin payments for the implied deletion of stolen data." From the report: CloudPets allow parents to record a message for their children on their phones, which then arrives on the Bluetooth connected stuffed toy and is played back. Kids can squeeze the stuffed animal's paw to record a message of their own, which is sent back to the phone app. The Android app has been downloaded over 100,000 times, though user reviews are poor, citing a difficult interface, frequent bugs, and annoying advertising. Hunt and the researchers he collaborated with found that the central database for CloudPets' voice messages and user info was stored on a public-facing MongoDB server, with only basic hashes protecting user addresses and passwords. The same database apparently connected to the stored voice messages that could be retrieved by the apps and toys. Easy access and poor password requirements may have resulted in unauthorized access to a large number of accounts. The database was finally removed from the publicly accessible server in January, but not before demands for ransom were left.

11 of 64 comments (clear)

  1. Strict liability for writing code? It's coming by Anonymous Coward · · Score: 4, Interesting

    Build a bridge, and if it collapses due to poor design the engineers involved go to jail.

    Build a crappy piece of software? No liability. That's going to end eventually.

    You want to call yourself an "engineer"? Play by real engineering rules.

    You're just a script kiddie with your Ruby? Tough.

    Because eventually, if you implement something poorly like this, you will be liable.

    If that scares you and makes you nervous, GOOD!!!!, because that means you're the type of clown-writing-code that needs to be held to higher standards.

  2. Re:Strict liability for writing code? It's coming by lucasnate1 · · Score: 4, Informative

    While I agree with you, I think it's unfair to always put the blame on the programmer. In many companies that I worked for I remember seeing things that looked like this, I talked with my managers about fixing it, and they said "it is lower priority".

    --
    Avantgarde Hebrew science fiction
  3. You want "cloud" by Ol+Olsoc · · Score: 4, Insightful

    You get this - you get cloud. Deal with it.

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    1. Re:You want "cloud" by mwvdlee · · Score: 2

      I recently encountered a site which had a maximum password length of 20 characters.
      My password now contains a message to whoever thought this was a good idea.
      I'm pretty sure somebody will read that message soon enough.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  4. Re:Strict liability for writing code? It's coming by kbg · · Score: 5, Insightful

    You should always make sure you get the manager response in writing. Just tell him to either send his response in an email and then archive this email or log his response to the bug report ticket and notify. Because when the shit hits the fan you will always be blamed, unless you can point to an actual written statement saying otherwise. If you just say "The manager told to me to ignore it", he will just reply "I don't remember saying that".

    Everyone else is covering their asses so you should also otherwise it's your ass.

  5. Re: Strict liability for writing code? It's coming by Anonymous Coward · · Score: 5, Informative

    Turns out it doesn't.

    I worked for a company with shit security practices. I put my foot down. Was almost fired for it. Had I not had and proven major exploits that would have put them out of business they would have fired me.

    Yes, someone wrote that shit. Someone horribly unqualified to do the job they were hired to do. And then every person that came behind them wasn't given the time to fix it and shit got bolted on shit.

    Also, this company literally handles children's personal info.

    As soon as shit was fixed to my satisfaction, I was let go.

    I couldn't be held responsible for having touched some of it before, or even after fixing it. Liability doesn't work that way (at least in Canada) it's 100% on the business.

    To be clear. Management is to blame. Management is liable. For having allowed shit work to happen, and for allowing shit work to stay around.

    Software developers have no right to say 'no' as engineers do. And I agree. It should be a regulated profession. Its not. Sometimes food for their families is more important than the moral high ground.

  6. Re:I am inspired... by Oswald+McWeany · · Score: 2

    Oooohh.... and it can send a message back to your phone, so you know when your SO is using it and hearing your message. That should make the weekly staff meeting more interesting when my phone buzzes so I take a peak and see it's the Mrs having fun at home while I'm learning what Stanley O'Noodle worked on for the last 7 days.

    --
    "That's the way to do it" - Punch
  7. Throwback by PeeAitchPee · · Score: 2

    This is like when we put old 80s rap cassettes in a Teddy Ruxpin.

  8. Doubt the company cares by Zontar_Thing_From_Ve · · Score: 2

    I checked and their stock is trading in the over the counter market. It's currently at 6/10 of one cent per share. That's right. A share costs less than one penny. At some point in the past year it was worth something like 38 cents a share. Given how even by OTC standards their stock is practically worthless, I would imagine that they don't have the funds on hand to pay the ransom and they probably can't fix the problems either, if they even cared to (not sure that they do). What people are saying about how this worked, when it did actually do what it was supposed to, doesn't suggest that security was given much thought. They probably thought nobody would care enough to hack a children's toy.

  9. Re:Strict liability for writing code? It's coming by LordWabbit2 · · Score: 3, Interesting

    Heh, while not exactly security related, I worked for a company who dealt in millions of transactions totaling billions in value. All this shoveled back and forth through IBM MQ.... with no transactions. Every now and then the server would up and die, and since it was multi threaded messages would get lost. I suggested switching on transactions to at least stop losing messages while we hunted down the reason for the server croaking, and was told NO. It would be too expensive (it was like 6 lines of code to actually implement) but the TESTING with all the clients would have cost them millions. So as far as I know they are still losing messages. Managements call, I left shortly after.

    --
    There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
  10. Re:Poor interface? by rjmx · · Score: 2

    Kids these days. Wimps. Now, in *my* day, we had to catch a grizzly bear and press IT'S paw. While it was mauling us.

    Now get off my lawn.