2 million messages leaked from the CloudPets smart toys

New models of smart devices continue to appear every day. Now gadgets are no longer just watches, trackers or switches. Even children's toys will get smarter. For example, CloudPets produces Internet-connected toys that allow children and parents to exchange voice messages. The transfer of information is carried out wirelessly, when you connect the gaming system to a phone or tablet with a pre-installed proprietary application. Squeezing the toy's foot, the child activates the toy and can send a voice message that goes to the smartphone. Parents, in turn, use a mobile device to send voice messages. As soon as this message arrives, the heart-shaped light starts flashing on the toy. By clicking on it, the child can listen to the message of the mother or father.

The principle is quite simple, so this system of communication can be used by children 3-7 years old and older. Thanks to their features, CloudPets toys have become very popular. Thousands of messages from owners of smart bears, cows or pigs passed through the company's servers every day, and the records were kept in the cloud in case the owner of the toy wishes to re-listen to the messages. Unfortunately, the developers didn’t take too good care of the security of the data stored in them. The servers were compromised by intruders who took the data to more than 800,000 accounts along with voice messages.

It is worth blaming the company for what happened, because user accounts were stored in the MongoDB database, which was not covered with a password or a firewall. In fact, the information was in the clear. Attackers, network security experts believe, discovered this information using the search service Shodan, which allows you to search for IoT-enabled devices, services and sites that are connected to the network and unprotected from third-party interference.
')
In defense of the company, we can say that the information in the database was encrypted using bcrypt . But most user passwords were so simple that the attackers hacked them without much difficulty. It is about the level of protection of your data with passwords like "12345".



As it turned out, the attackers put their hands on the database not once, but at least twice. In addition, it was studied and information security experts. By the way, attackers most often look for MongoDB databases in order to embed malicious software instead of user information stored in them. One wonders what happened: experts all the time say that manufacturers of IoT devices pay a lot of attention to the functionality and design of their products, but for some reason they don’t worry too much about protecting their services and websites from external interference.

One of the experts who participated in the hacking investigation said that in order for the data of users of smart toys to be made publicly available, a couple of small errors from the developers of cloud services to which such toys are connected are sufficient. Well, if you don’t worry about security at all, then you don’t have to wait for anything good.

Problems in the protection of user information not only CloudPets. Two years ago, a similar situation occurred with the data of users of another toy manufacturer, the company VTech. Then more than 4.8 million records flowed into the network, including e-mail, dates of birth, etc. At VTech, some data was stored completely in the clear, so hacking was just a matter of time. As for CloudPets, cybercriminals received account data from 821,396 users, 371,970 related accounts and over 2 million voice messages.

With voice messages, the situation is somewhat different than with a database. Audio recordings were not stored in the hacked database. Instead, the company hosted them on Amazon S3 servers, and no authentication was required to gain access. To listen to messages, you need only the URL of the file. But the links to the audio were stored in the accounts of the hacked database. When hacking into account, the attackers get all the saved data, including the URL of all messages sent or received by the user.

Worst of all, the company's servers were compromised in December last year, but the toy manufacturer has not yet notified users about the problem. Some cyber security experts tried to contact CloudPets, but there was no response. As a result, on January 12, the database was erased by regular attackers who were looking for unprotected MongoDB servers.


“I tried to contact via e-mail, Linkedin, Zendesk and Twitter. I even tried to contact people using private email addresses. There is no answer, ”says Victor Gevers, chairman of the non-profit GDI Foundation, which investigates burglary.

Now it became known about the burglary, and parents who bought their children smart toys from CloudPets, began to worry. “My worst fear is that someone can use this information to send messages to my six-year-old daughter. My parents will no longer send messages to their granddaughter this way anymore, ”said Jason Pagel, a visitor to the seminar, where cybersecurity experts spoke about data leaks from CloudPets servers.

Representatives of the company, in turn, argue that there is no evidence that the intruders obtained the information of user accounts. However, CloudPets is about to reset passwords for all users as a security measure.