Creepy CloudPets pulled from stores over security fears

Good news for privacy-conscious parents of young children!

Major retailers have begun pulling CloudPets cuddly toys from their shelves after warnings were issued that the internet-enabled toys posed a risk to privacy.

A year ago it was revealed that more than 2.2 million voice recordings of children and parents, as well as 800,000 associated email addresses and passwords, had been carelessly leaked through lax security on a MongoDB server.

Spiral Toys, the manufacturer of the so-called “smart” toys, claimed to act swiftly to fix the problem – and another vulnerability which could allow a remote hacker to not only record audio but also broadcast messages via the toys.

In the following video you’ll see just how easy it proved to be for a hacker within Bluetooth range of a fluffy CloudPet to hijack control of the toy.

At the time, news of the security breach was widely reported and even managed to gain the attention of comedians on late night US talk shows.

The issue was, of course, no laughing matter.

And twelve months after the initial disclosure of the security problems, researchers found that Spiral Toys had still not implemented proper authentication techniques to protect against hackers spying on children via cuddly CloudPets.

Concerns were also raised that SpiralToys had allowed a domain used to host a tutorial for the toys – mycloudpets.com – to lapse, opening opportunities for criminals to use the URL for phishing attacks.

As Consumer Affairs reports, the EFF wrote a letter to Walmart, Target, and Amazon, voicing their concern that the insecure cuddly toys were being sold to unsuspecting consumers.

Part of the letter read as follows:

What CloudPets demonstrates is the potential privacy risks that even a toy with limited
connectivity can pose. More importantly, it also shows how these toys are entry points
for companies to generate a consumer base from children for other digital products in
the future. That’s why it’s so critical that privacy and security be at the forefront of
makers’ minds.

We believe retailers have a crucial role to play when it comes to helping encourage
manufacturers to respect the trust of their consumers. We hope you will immediately
pause the sale of CloudPets, and we look forward to working with you on more
proactive, positive steps that could be taken to protect customer safety, security, and
privacy.

Last week, Walmart and Target stopped selling CloudPets. This week, eBay and Amazon joined them.

Action like this means that less people are likely to buy these particular insecure childrens’ toys. It’s foolhardy to think, however, that there aren’t other products out there which are doing a similarly dreadful job at securing the privacy and safety of society’s most vulnerable consumers.

2 comments

  • By Wayne - Reply

    Wow. So I’d really have to be in like the same room as this toy to “maliciosly” make it talk. Big deal.

    • By Bogdan Botezatu - Reply

      Class 1 Bluetooth is rated for 100m / 330ft. Class 2 Bluetooth has a range of only 10 meters, but that is enough for people to tap into the toy from the curb, particularly in residential areas with blocks of flats where the population density is significantly larger. And forget making the toy talk, someone can RECORD conversations that take place next to the toy. This is important.

  • Add Comment

    Your email address will not be published. Required fields are marked *