Spiral Toys, which manufacturers the CloudPets range of Bluetooth-enabled "smart toys," is under privacy fire for exposing 821,000 user records online, as well as links to 2.2 million parent and child voice recordings captured by its interactive toys and related apps.
Copies of the data are in wide circulation and appear to be the focus of multiple attempted ransom shakedowns, says Australian developer and Have I Been Pwned administrator Troy Hunt, who says that he and other researchers have verified that the exposed data is legitimate.
"The data is now in the wild."
On Feb. 28, Harold Chizick, a spokesman for Agoura Hills, Calif.-based Spiral Toys, said in an emailed statement to Information Security Media Group that "Spiral Toys was notified about a potential breach on Feb. 22 and took immediate and swift action to protect the privacy of our customers" by requiring all users to change their passwords. But information published by security experts appears to contradict that timeline, say that they have received no password-change alerts, and suggests that further flaws have not yet been addressed (see Yes, Unicorns With Bluetooth Problems Really Do Exist).
The CloudPets alert follows an increasing call from security experts for internet-connected devices to be regulated by governments and poorly secured devices to be blocked from the internet (see Cybersecurity Chaos Dominates RSA Conference Discussions).
Information Security Missteps
In a blog post, Hunt alleges Spiral Toys committed numerous information security errors in relation to its toys. Here's a brief recap of what he says apparently went wrong.
- MongoDB: The company exposed MongoDB databases - no password required for access - containing user account information, which was indexed by the internet-connected device search engine Shodan. "The data is now in the wild," Hunt says. (See related story: Emory Healthcare Database Breach: What Happened?)
- Ransom demands: Attackers downloaded and then deleted some of these MongoDB databases - including one containing 821,000 user records - and left at least three different ransom notices for Spiral Toys.
- Links: "The MongoDB contains references to both profile pictures and voice records which are stored in Amazon S3" - Simple Storage Service - Hunt says, and accessing the linked recordings is not protected by user authentication. Hunt has posted a sample sound file using a CloudPets toy to demonstrate what attackers might be able to recover. He says links to all of the data stored on Amazon S3 were contained in the exposed MongoDB databases.
- Passwords: While Spiral Toys stored passwords using the bcrypt password-hashing algorithm, which is good, it failed to enforce any password rules, as demonstrated in this YouTube video. As a result, short - such as "qwe" - or overused passwords could be picked, meaning that many passwords could be easily cracked.
- Bug reporting: Spiral Toys maintained no channel for security researchers to report flaws in its products and could not be reached despite multiple attempts from different researchers, including a Dec. 31, 2016, trouble ticket logged in its ZenDesk system by Dutch security researcher Victor Gevers.
Warnings, Then Ransom Demand
Motherboard says that independent of Hunt, on Dec. 30, 2016, it received a tip-off that poorly secured CloudPets data was being stored online. "I want to inform you that 126.96.36.199 is running a MongoDB instance which appears not to be correctly configured or protected by a firewall allowing connections via port 2701," according to a message it received.
Hunt says that he and other security experts have been attempting to alert Spiral Toys to the security problems. Gevers, for one, attempted to warn Spiral Toys multiple times beginning in late December 2016, but says he couldn't make contact.
@CloudPets Hi! I want to report a securtity issue but firstname.lastname@example.org & email@example.com are not functional: Recipient not found.— Victor Gevers (@0xDUDE) December 30, 2016
Norway-based Irish security researcher Niall Merrigan charted a number of MongoDB ransom demands - all apparently part of the same campaign - beginning in January that include one or more stolen CloudPets databases. One of the related ransom notices reads: "You DB is backed up on our servers, send 1 BTC to 1J5ADzFv1gx3fsUPUY1AWktuJ6DF9P6hiF then send your ip address to email:firstname.lastname@example.org."
The breach is a reminder that too many organizations fail to provide a dedicated hotline for bug hunters. "I've said many times before in many blog posts, public talks and workshops that one of the greatest difficulties I have in dealing with data breaches is getting a response from the organization involved," Hunt says.
No One Home?
The failure to raise anyone at Spiral Toys may be due to its stock price now being worth less than one cent. The value of the company's stock - listed on the Over-The-Counter Bulletin Board, which is regulated by the Financial Industry Regulatory Authority - has been in decline since late 2015. Potential salvation in the form of a an internet-connected "smart piggybank" named Wiggy that the company brought to market in November 2016 has so far failed to materialize.
To date, Spiral Toys has filed no data breach notifications with the state of California.
As of January 1, the state requires public notification for breaches affecting 500 or more residents even when encrypted data gets leaked if security credentials or encryption keys that could unlock the data were also exposed.
Creepy Smart Toy Redux
When it comes to smart toys - and many manufacturers' apparent disregard for kids' privacy - we've seen all of this before.
In 2015, for example, Hong Kong toymaker VTech was hacked and data on 200,000 kids exposed.
The same year, I detailed how Mattel's $75 internet-connected Hello Barbie that could listen to children's conversations and respond to them triggered privacy and creepiness warnings from experts.
Also in 2015, Ken Munro, a partner at U.K.-based penetration testing firm Pen Test Partners, showed how the $60 Cayla doll, which can be paired with a smartphone, and a dedicated app used to process what's said to the doll, could be locally hacked.
Germany Bans Cayla
Now, some regulators are taking action. Earlier this month, the Bundesnetzagentur - Germany's telecommunications watchdog - banned the Cayla doll on privacy grounds, because it surreptitiously records local conversations and transmits them to a web service. The doll was introduced in 2014.
"Any toy that is capable of transmitting signals and that can be used to record images or sound without detection is banned in Germany," according to the Bundesnetzagentur. It also found that the toy's wireless connection was poorly secured, leaving it at risk of local eavesdropping. Genesis Toys, which manufactures, Cayla, couldn't be immediately reached for comment on those allegations.
The Bundesnetzagentur is promising to put the security of more so-called interactive or "smart" toys to the test.
It's a sure bet that Hello Barbie, Cayla and now CloudPets - or rather Mattel, Genesis Toys and Spiral Toys - are not the only information security and privacy offenders.
This blog post has been updated with comment from Spiral Toys.