Cute, cuddly CloudPet stuffed animals leaking audio and other data fell prey to those seeking ransom.
Cute, cuddly CloudPet stuffed animals leaking audio and other data fell prey to those seeking ransom.

Talking toys can vacillate between creepy and cute, but sometimes they come with hidden perils—like the CloudPets - whose custom audio files allow parents and children to exchange customized messages through cuddly stuffed animals – were just found to be on a MongoDB “in a publicly facing network segment without any authentication required” (and indexed by Shodan) with some information being held for ransom, according to a blog post by Troy Hunt, author of the Have I Been Pwned? breach disclosure site.

“People found the exposed database online,” wrote Hunt. “Many people and the worrying thing is, it's highly unlikely anyone knows quite how many.”

Hunt was alerted to the breach when he was sent data from a table that held the user accounts – some 583,000 or so records that as he found were a subset of CloudPets's total records. Hunt set out to verify that the data was legit and among the entries discovered the email of an attendee at a private security conference he happened to be leading. “Sure enough, his email address was in the breach and it was time-stamped Christmas day, the day his daughter had been given the toy,” Hunt wrote.

The user's password was stored as a bcrypt hash, Hunt said, and he was able to validate the hash against the user's record, proving that “the data was real.”

That connected “things,” particularly children's toys, are vulnerable to breach and leak data is not surprising – the CloudPets breach has renewed calls to strengthen the posture of the Internet of Things (IoT).

“With the great increase of IoT devices, from teddy bears like the ones connecting with CloudPets to medical devices monitoring patients to connected refrigerators, our race for innovation brings a lot of cool stuff to life in a very short time, and this will continue in the next years, as there is a potential to revolutionize the way we're living,” Ben Herzberg, security research group manager at Redwood Shores, Imperva, said in comments emailed to SC Media. “However, we've seen a lot of security glitches from these IoT companies, and they need to understand that information security is not just a ‘good-to-have.'”

Paul Calatayud, chief technology officer (CTO) at FireMon, who calls “IoT the IoMT as in the Internet of Malicious Things,” said in comments emailed to SC Media, that the news of the teddy bear leak hits on two main issues. One, the growing use of open source databases, and two, putting devices on the internet.”

Calatayud noted that free technologies like MongoDB, commonly used in e-commerce because it's flexible and free, comes with a price. “Like most things that are free there are hidden costs in the form of no security confirmations or common security models,” he said. “This results in what I call security regression, where best practices quickly become forgotten in the rush to slap an application on the internet. Combine this with devices that are exposed to the internet and you have a combination for a hackers paradise.”

What the CloudPet situation “really demonstrates is how dogmatic, infosec-centric approaches to IoT security will always result in failure,” Bill Diotte, CEO of Mocana, said in emailed comments to SC Media. “Right now, hackers could be inside of every major cloud platform and database in use, searching for information about mission critical industrial control systems, jet engines and connected cars. If this type of data can be accessed as easily as these simple voice recordings were, we could experience catastrophic incidents that destroy property and even lead to human casualties.”

To thwart “IoT-related breaches and attacks, whether they be aimed at consumer or industrial systems,” Diotte said, the industry must abandon “the status quo and adopt methods that allow devices to defend themselves from their hardware cores to the cloud.”

The CloudPets breach is proof that password credential breaches are on the rise. “The answer is simple – convenience. With all forms of security, convenience suffers. Whether it be using various forms of two-factor authentication or multi-factor authentication, users need to manage and remember passwords,” Byron Rashed, vice president of global marketing, Advanced Threat Intelligence, at InfoArmor, said in comments emailed to SC Media. “Best practice would dictate a different and unique password for each application. Just think how many applications the average person uses in one day - email, social media sites, banking, shopping, etc. Not only is it daunting, but it's inconvenient; however, it has become a necessity in today's digital age.”

Companies face a dilemma “between ease of use and the overall customer experience versus security of accounts,” Rashed said. “Investing in technologies such as encryption and multi-factor authentication add to the cost of doing business while degrading the customer experience. Many companies do not fully assess the risk of convenience versus security.”

Criminals, too, have a leg up. “SHA-1 and MD5 hashes can easily be cracked by automated tools on black market sites on the Dark Web were cybercriminals can get clear text passwords,” said Rashed. “Professional cybergangs are very organized and members have areas of specialty from network infiltration to data exfiltration to monetization. Many of these organizations bring in millions of dollars in income, and some are shielded with non-extradition to the victim country.”

And many devices are simply not built with security in mind.

“For most IoT sales the vendor is not monetizing the data, only the device itself (a single point in time purchase for minimal margin),” Philip Lieberman, president and CEO of Lieberman Software, said in emailed comments to SC Media. “The business model for IoT provides little to no incentive for security and off-shore vendors have a shield of no legal recourse for U.S. consumers.” 

Companies, though, are facing increasing pressure to bring their devices, whether stuffed bears or thermostats, up to a higher security standard. “Every company that's selling devices that connect to the internet must know that in that moment they become a target, and will probably not have a lot of grace time before they start getting attacked,” said Herzberg.