Creepy CloudPets pulled from stores over security fears
Good news for privacy-conscious parents of young children!
Major retailers have begun pulling CloudPets cuddly toys from their shelves after warnings were issued that the internet-enabled toys posed a risk to privacy.
A year ago it was revealed that more than 2.2 million voice recordings of children and parents, as well as 800,000 associated email addresses and passwords, had been carelessly leaked through lax security on a MongoDB server.
Spiral Toys, the manufacturer of the so-called “smart” toys, claimed to act swiftly to fix the problem – and another vulnerability which could allow a remote hacker to not only record audio but also broadcast messages via the toys.
In the following video you’ll see just how easy it proved to be for a hacker within Bluetooth range of a fluffy CloudPet to hijack control of the toy.
At the time, news of the security breach was widely reported and even managed to gain the attention of comedians on late night US talk shows.
The issue was, of course, no laughing matter.
And twelve months after the initial disclosure of the security problems, researchers found that Spiral Toys had still not implemented proper authentication techniques to protect against hackers spying on children via cuddly CloudPets.
Concerns were also raised that SpiralToys had allowed a domain used to host a tutorial for the toys – mycloudpets.com – to lapse, opening opportunities for criminals to use the URL for phishing attacks.
Part of the letter read as follows:
What CloudPets demonstrates is the potential privacy risks that even a toy with limited
connectivity can pose. More importantly, it also shows how these toys are entry points
for companies to generate a consumer base from children for other digital products in
the future. That’s why it’s so critical that privacy and security be at the forefront of
We believe retailers have a crucial role to play when it comes to helping encourage
manufacturers to respect the trust of their consumers. We hope you will immediately
pause the sale of CloudPets, and we look forward to working with you on more
proactive, positive steps that could be taken to protect customer safety, security, and
Last week, Walmart and Target stopped selling CloudPets. This week, eBay and Amazon joined them.
Action like this means that less people are likely to buy these particular insecure childrens’ toys. It’s foolhardy to think, however, that there aren’t other products out there which are doing a similarly dreadful job at securing the privacy and safety of society’s most vulnerable consumers.Amazon CloudPets security Target Walmart