A report by security researcher Troy Hunt claims that a brand of internet connected children’s toys, CloudPets, have been infiltrated by hackers who collected hours of audio recordings of children and are demanding a ransom in exchange for the files.
CloudPets allow parents to record voice messages on their phone and transfer these messages to a stuffed animal toy which then plays the message via internal speakers. But according to security researcher Troy Hunt, CloudPets left gaping holes in their digital security which gave hackers access to the accounts and messages of a large number of users.
Put yourself in the shoes of the average parent, that is one who’s technically literate enough to know the wifi password but not savvy enough to understand how the “magic” of daddy talking to the kids through the bear (and vice versa) actually works. They don’t necessarily realize that every one of those recordings – those intimate, heartfelt, extremely personal recordings – between a parent and their child is stored as an audio file on the web.
Hunt explains that each of these personal recordings was stored in a database on a publicly facing network segment with no security or authentication whatsoever. The CloudPets database had even been indexed by the search engine Shodan, which allows users to find “servers, webcams, printers, routers and all the other stuff that is connected to and makes up the Internet.”
Hunt claims that many people became aware of the exploit within CloudPets’ servers and even sent him data from the table that held user accounts. An attendee of a workshop that Hunt was hosting on security had a CloudPets account, and within moments Hunt was able to find the man’s password.
“Due to there being absolutely no password strength requirements whatsoever, anyone with the data could crack a large number of passwords, log on to accounts and pull down the voice recordings,” said Hunt.
A friend of Hunt allegedly attempted to contact CloudPets on three separate occasions to warn them of the breach in their security. Contacting the company via their support form on their website yielded no response, which led Hunt’s friend to contact the email listed on the company’s WHOIS records, which subsequently belonged to a marketing firm called On Demand. Finally, Hunt’s friend was forced to contact the hosting company for CloudPets’ databases and warn them of the problem.
Nial Merrigan, a solutions architect and member of the InfoSec community, noticed that new databases labeled “PLEASE_READ” were being created. Within these databases, Merrigan found text stating, “Your DB is backed up on our servers, send 1 BTC to 1J5ADzFv1gx3fsUPUY1AWktuJ6DF9P6hiF then send your IP address to email:firstname.lastname@example.org”.
— Niall Merrigan (@nmerrigan) January 6, 2017
The CloudPets servers were eventually made inaccessible by the company, but not before their database had been infiltrated, deleted, and held for ransom by multiple hackers.