Previous Story
Internet-connected teddy bears leak over 2M voice messages
Posted On Feb 28 2017
Comment: Off
The story highlights the problems with connecting every little device, in particular children’s toys – with Germany earlier this month banning so-called smart doll Cayla over fears it could be targeted by hackers. With these and a related app, parents and kids can record messages for each other that are shuttled between the toy and app via the company’s cloud service. Troy Hunt, security researcher behind Have I Been Pwned, however, analyzed the CloudPets data and claims that a large number of those passwords were so weak they might have been cracked.
The breach was first reported in a blog post from Troy Hunt, a Microsoft regional director, on Tuesday. “The figures showed there would be thousands of passwords adhering to this very small handful of bad examples”.
The voice recordings themselves were not in stored in the database but Hunt did some digging and found them stored in an Amazon S3 bucket with no authorisation required.
Though the database was protected by bcrypt hash, the password requirements were so minimal (‘a’ was a valid password) as to completely negate the security protocol; accounts could be hacked easily and without special procedures or tools. That cloud service, it turns out, is quite insecure and has allowed voice messages recorded by parents and kids to be leaked online for anyone with the skills to grab them.
Although passwords were protected with the bcrypt hashing algorithm, there was apparently no minimum requirement regarding password strength, meaning users were able to save a single-letter log-in credential if they wished.
The report said photos, recorded messages and other information, including emails and passwords, were all at risk.
On Monday, Motherboard reported that toy company Spiral Toys had been part of a massive cloud security failure over the past year. Unfortunately, the email address listed on the company’s support page bounced back, and subsequent attempts at contact went unanswered. In fact, after learning of the breach, the company decided “it was a very minimal issue”. Most IoT devices are not secure by default, and manufacturers need to make privacy and security a priority, and release all IoT devices with default security measures moving forward. The data is stored at Romanian storage provider mReady, and Hunt asserts that the manufacturer may have ignored three or more warnings about the vulnerability.
Hunt said an acquaintance whose data was leaked had never heard about the exposure and that his private conversations with his daughter had potentially been accessed illegally. The law was extended to cover encrypted data as of the first of January.
At the time of publication, the company behind the toys, Spiral Toys, had not responded to HuffPost UK’s request for comment.
“Now firstly, put yourself in the shoes of the average parent, that is one who’s technically literate enough to know the wifi password but not savvy enough to understand how the “magic” of daddy talking to the kids through the bear (and vice versa) actually works”, he said. He asked, “How much is too much?”
The passwords were also easy to crack, Hunt said. However, it is highly probable that Spiral Toys was already aware due to the evidence left behind by criminals who demanded ransom for the data.
