The IT Nerd

I’ve written about kids toys and their relative insecurity for a while now and I will cite these examples why you may not want to give your kids a connected toy as a gift. Now comes the worst example of this that I have seen via security researcher Troy Hunt:

CloudPets allow parents to record a message for their children on their phones, which then arrives on the Bluetooth connected stuffed toy and is played back. Kids can squeeze the stuffed animal’s paw to record a message of their own, which is sent back to the phone app. The Android app has been downloaded over 100,000 times, though user reviews are poor, citing a difficult interface, frequent bugs, and annoying advertising. Hunt and the researchers he collaborated with found that the central database for CloudPets’ voice messages and user info was stored on a public-facing MongoDB server, with only basic hashes protecting user addresses and passwords. The same database apparently connected to the stored voice messages that could be retrieved by the apps and toys. Easy access and poor password requirements may have resulted in unauthorized access to a large number of accounts. The database was finally removed from the publicly accessible server in January, but not before demands for ransom were left.

Not cool. If I were a parent and I bought this toy, I’d dump it. I really do not believe that the people who make these toys have your security in mind when they put them on the market. Until they can prove that they do, they should be avoided by parents.

This entry was posted on February 28, 2017 at 10:01 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.