Skip to content
ANITH ANITH
  • About
  • Contact
breach, Buzz, cayla doll, cloudpets, General Social Engineer Blog, hacking, Hello Barbie, IoT, passwords, Privacy, surveillance, teddy ruxpin

Not Your Average (G.I.) Joe

2 min read March 2, 2017


Back in 2015 we reported on the possible vulnerabilities in the IoT web-connected Hello Barbie doll, and the possibility of privacy and security breaches from the cloud stored communications of children.  Two weeks ago Germany banned the interactive Cayla doll from stores and issued warnings to parents that had purchased it.  The Cayla doll was found to be insecure and violated Germany’s laws against concealed surveillance devices.

On Monday it was announced that these concerns were again realized by recent attacks against CloudPets plush animals.  CloudPets allows parents to utilize a smartphone app to leave messages for their children on the plush toy, and children can send messages to their parents in return.  Profile data such as email addresses and passwords were all stored on an unsecured MongoDB; in fact, it was so insecure that it had neither password nor firewall protection.  While the account passwords were hashed, they were easily cracked as many were as simple as “cloudpets” or “1234567”.  The actual messages were found to be stored on an Amazon server that didn’t require authentication either, and all an attacker had to do was guess or slightly change the URL to gain access to the recordings.

During the writing of this blog, more appalling data was discovered about the vulnerabilities of the CloudPets.  Anyone within Bluetooth range is able to connect to the plush and record what it is hearing at the time, or upload a message of any nature for it to play to the child.  It essentially could turn the toy in to an eavesdropping device in your home.

Security researchers had been attempting to contact the makers of CloudPets unsuccessfully, and the data breach has been exposed online since at least late last year.  As of this writing though, the toy maker hasn’t responded or addressed the issue.  If your child owns one of these toys, you should probably consider changing your account password and the passwords of any other accounts that may have used the same password (like your bank), and turn the device off until this issue is resolved.

As IoT becomes more commonplace across items in our homes, consumers need to demand better security from the manufacturers.  Breaches like this also demonstrate why it’s not recommended to use the same password across multiple sites, and to use a complex password on every account with which you connect to the internet.  Also make sure to discuss these issues and breaches with your non-technical friends who may not realize the dangers of the toy sitting in their living room.  If you still want a toy that can play messages to your children, there are still Teddy Ruxpin dolls available on EBay that are secure from hacking.

Sources:

<!–

–>



Source link

Related

Share with friends

You might also like

Buzz

After a decade, NASA’s big rocket fails its first real test

1 min read January 17, 2021
Buzz

After 2 Years on Mars, NASA’s Digger Declared Dead

1 min read January 17, 2021
Buzz

UnGoogled Chromium 87.0.4280.141-1 (BSD License)

1 min read January 17, 2021
Buzz

'Major Component Malfunction' Ends SLS Rocket Test Early. NASA Considers New Timeline

3 min read January 17, 2021
Buzz

Robert Cringley Predicted ‘The Death of IT’ in 2020. Was He Right?

2 min read January 17, 2021
Buzz

Online Far-Right Movements Fracture, as ‘Gullible’ QAnon Supporters Criticized

1 min read January 16, 2021

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

three − 1 =

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Buzz

JetBrains’ build automation software eyed as possible enabler of SolarWinds hack

1 min read January 14, 2021
Buzz

Even Small Nations Have Jumped into the Cyber Espionage Game

1 min read January 12, 2021
Buzz

Apple Plans First iMac Desktop Redesign In Nearly a Decade

1 min read January 16, 2021
Buzz

Nissan Source Code Leaked via Misconfigured Git Server

1 min read January 12, 2021
Buzz

After a decade, NASA’s big rocket fails its first real test

1 min read January 17, 2021
Buzz

After 2 Years on Mars, NASA’s Digger Declared Dead

1 min read January 17, 2021
Buzz

UnGoogled Chromium 87.0.4280.141-1 (BSD License)

1 min read January 17, 2021
Buzz

'Major Component Malfunction' Ends SLS Rocket Test Early. NASA Considers New Timeline

3 min read January 17, 2021
ANITH SINCE 1979 | ALL RIGHTS RESERVED