CloudPets “Smart” Toys Leak More Than 2M Voice Recordings, Other Personal Data

CloudPets are not cute little adoptable cumulonimbus and cirrus toys for your kid to play with. Instead, they are traditional dog, cat, and bear stuffed animals that relay voice messages between an adult and a kid through the digital cloud. Which in and of itself is not necessarily a bad idea, even if it’s not your style. What is a bad idea, however, is failing to secure your server, and making more than 2 million of those very personal messages public, for anyone on the internet to grab.

Security researcher Troy Hunt wrote a blog post outlining this potential data leak on Monday.

CloudPets are cuddly plush toys that basically work as voice message relays. An adult can record a message on the linked CloudPets app, then that message shoots up to a server and down to the toy, which plays it back.

It also works in reverse: A kid can use the toy to record a message, which relays itself the other direction to the adult’s app. The app also lets a child play with a virtual version of their plush pal, which can then frolic in its digital outdoor environment.

As Hunt points out, CloudPets tells you all this in its own commercial:

When the commercial voice-over lady happily announces that you and your child’s messages “go to the cloud,” what that means is that they go to a server somewhere, to be stored and relayed. And there’s the real problem, Hunt says. The data on that server was left completely exposed to the public, “without so much as a password to protect it.”

Just a pile of user data, including passwords and private voice messages, just sitting out there for anyone who felt like it to grab. And it has been grabbed several times, Hunt adds.

The tipster who pointed Hunt to the breach had tried three separate times to contact CloudPets or its web host about the data, but never received a response.

Hunt shared his findings with a writer at Vice’s Motherboard tech site, who it turned out had also been tipped off to this leak, completely independently, by another user who both found the data and also tried unsuccessfully to report it to CloudPets.

In total, Hunt writes, he and the individuals who both noted the data in December found more than 2.1 million voice recordings publicly accessible on the internet. Hunt was able to listen to several of the voice clips, which sound exactly like you’d sound a little kid talking to a toy to sound like.

In addition to the voice recordings, Hunt and others found children’s names and birthdates, as well as the names and relationships of their parents and “friends” who had been authorized to send voice messages to the kids’ toys.

And on top of all that, Hunt was able to use CloudPets’ own tutorial video to work out how users create and store passwords, and basically crack “a very large number” of passwords in “a very short time.”

Hunt and others also found proof that some of this data has indeed already been used by several different criminal actors several different times to try to hold users’ data for ransom. And the parents who own the accounts and their kids’ toys were never notified.

CloudPets’ parent company Spiral Toys CEO Mark Myers told Network World that no voice recordings were stolen and reports they were leaked are “completely false,” despite the fact that Hunt was indeed able to access and listen to them.

“We looked at it and thought it was a very minimal issue,” he told Network World.

As Hunt also points out: Spiral Toys appears to be not at all long for this world. Its stock is basically complete rubbish, currently trading at less than one half of one cent per share ($0.0045), which is never a good sign. According to Google Finance, the last time it was even as high as $0.50 per share was one brief spike in late September.

In short, it seems distinctly possible that nobody at Spiral Toys is paying much attention to what’s going on with its CloudPets server. If the company is troubled, it may be that they don’t even have anyone around internally who can focus on or fix that right now.

And that’s one of the big problems with connected, “internet of things” devices in general: What happens with the data when a company closes, goes bankrupt, or gets sold?

In Aug. 2016, we reported about a “smart” lightbulb company that disconnected its servers and left its customers, literally, in the dark. A few months earlier, Google-owned Nest shut down its Revolv smart home hub, leaving its customers with, basically, a $300 paperweight that could no longer control any of the internet-connected devices in their homes.

Those companies were able to announce and plan for how to shut down their services (and didn’t leak giant databases of user information all over the place to start with). But if a company — say, perhaps, one that sells connected toys — goes belly-up inelegantly, it may very well do so without a tech support “sunset” plan for any data it holds or servers it operates.

Smart devices are proliferating, many of them through crowdfunded efforts or new startup business ventures. Some will succeed, and become enduring companies. Others, in one way or another, will fail. That means we’re likely to see many more, rather than fewer, instances of poorly-secured device data leaked, breached, or otherwise floating free in the years to come.

UPDATE: Spiral Toys has released a statement in addition to the one referenced above. Here it is in full:

“Spiral Toys was notified about a potential breach on February 22 and took immediate and swift action to protect the privacy of our customers. When we were informed of the potential security breach we carried out an internal investigation and immediately invalidated all current customer passwords to ensure that no information could be accessed. To our best knowledge, we cannot detect any breach on our message and image data, as all data leaked was password encrypted. For the protection of our users we are now requiring users to choose new increased security passwords. An email will be sent out informing customers of the potential compromised login data and will give them a link to create a new password.

“The CloudPet services have been running safely since March 2015 and we are taking all steps necessary to continue to run safely on our production servers. We are committed to protecting our customer information and their privacy in order to ensure against any such incidents in the future.
Once we have addressed our customers’ needs and we document the incident, we will file the cyber-crime report with the State Attorney General in California.

“We will continue to post any updates on our website.”