Source: Troy Hunt
Only a couple of weeks ago, there were a lot of news headlines about how Germany had banned an internet-connected doll called “Cayla” over fears hackers could target children. One of their primary concerns was the potential risk to the privacy of children:
“conversations between the child and others can be recorded and forwarded”
The Germans had a good point: kids’ toys which record their voices and send the recordings up to the web pose some serious privacy risks. It’s not that the risks are particularly any different to the ones you and I face every day with the volumes of data we produce and place online (and if you merely have a modern phone, that’s precisely what you’re doing), it’s that our tolerances are very different when kids are involved. I’ve got young kids myself and frankly, I’m with the Germans on this one; I don’t see a need for them to have things like their voices recorded and stored online. That’s not to say I don’t want them to have an online presence and I’m gradually exposing both of them to more and more modern internet things, but I don’t particularly want innocent childish behaviour like playing with a toy to be recorded and stored on other people’s computers.
Cayla isn’t the first connected toy to raise concerns either. Just over a year ago it was “Hello Barbie” making the headlines for precisely the same reasons. Yes, it’s a cool idea but no, I (and many others) don’t want my kids exposed in that way. In fact, just before that, we had the VTech data breach which exposed a huge amount of very personal information after parents bought their kids connected tablets, joined them to the wifi network and created accounts for them. Those accounts were ultimately exposed and included the kids’ names, genders, birth dates, photos and links to parent with full physical addresses. That should have been the wakeup call where we all said “hey, if we put our kids’ data on the web, we need to expect it to be leaked”, but evidently it hasn’t stopped the flood of connected toy things.
Which brings us to CloudPets (a brand owned by Spiral Toys) which is a toy that represents the nexus of both the problems discussed above: kids’ voices being recorded and their data consequently being leaked. The best way to understand what these guys do is to simply watch the video:
Now firstly, put yourself in the shoes of the average parent, that is one who’s technically literate enough to know the wifi password but not savvy enough to understand how the “magic” of daddy talking to the kids through the bear (and vice versa) actually works. They don’t necessarily realise that every one of those recordings – those intimate, heartfelt, extremely personal recordings – between a parent and their child is stored as an audio file on the web. They certainly wouldn’t realise that in CloudPets’ case, that data was stored in a MongoDB that was in a publicly facing network segment without any authentication required and had been indexed by Shodan (a popular search engine for finding connected things).
Unfortunately, things only went downhill from there. People found the exposed database online. Many people and the worrying thing is, it’s highly unlikely anyone knows quite how many. The first I knew of it was when earlier last week, someone sent me data from the table holding the user accounts, about 583k records in total (this subsequently turned out to be a subset of the total number in the CloudPets service). I started going through my usual verification process to ensure it was legitimate and by pure coincidence, I was in the US running a private security workshop at the time and one of the guys in my class had a CloudPets account. Sure enough, his email address was in the breach and it was time-stamped Christmas day, the day his daughter had been given the toy. His record looked somewhat like these, the first few in the data I was given:
The password was stored as a bcrypt hash and to verify it was legitimate, he gave me his original password (I asked him to change it on CloudPets first) and I successfully validated that the hash against his record was the correct one (I’d previously validated the Dropbox data breach by doing the same thing with my wife’s account). The data was real.
CloudPets left their database exposed publicly to the web without so much as a password to protect it.
Getting back to who sent it to me, this is someone who travels in data breach trading circles so I have no idea how far the data had actually circulated. However, I subsequently discovered that the database had definitelybeen accessed well beyond just this individual. But first, it gets worse still…