Data from connected CloudPets teddy bears leaked and ransomed!

This an interesting story about cloudpets and privacy.

Only a couple of weeks ago, there were a lot of news headlines about how Germany had banned an internet-connected doll called “Cayla” over fears hackers could target children. One of their primary concerns was the potential risk to the privacy of children: conversations between the child and others can be recorded and forwarded

The Germans had a good point: kids’ toys which record their voices and send the recordings up to the web pose some serious privacy risks. It’s not that the risks are particularly any different to the ones you and I face every day with the volumes of data we produce and place online (and if you merely have a modern phone, that’s precisely what you’re doing), it’s that our tolerances are very different when kids are involved. I’ve got young kids myself and frankly, I’m with the Germans on this one; I don’t see a need for them to have things like their voices recorded and stored online. That’s not to say I don’t want them to have an online presence and I’m gradually exposing both of them to more and more modern internet things, but I don’t particularly want innocent childish behaviour like playing with a toy to be recorded and stored on other people’s computers.

Data from connected CloudPets teddy bears leaked and ransomed!

CloudPets (a brand owned by Spiral Toys) is a toy that represents the nexus of both the problems discussed above: kids’ voices being recorded and their data consequently being leaked. The best way to understand what these guys do is to simply watch the video:

Now firstly, put yourself in the shoes of the average parent, that is one who’s technically literate enough to know the wifi password but not savvy enough to understand how the “magic” of daddy talking to the kids through the bear (and vice versa) actually works. They don’t necessarily realise that every one of those recordings – those intimate, heartfelt, extremely personal recordings – between a parent and their child is stored as an audio file on the web. They certainly wouldn’t realise that in CloudPets’ case, that data was stored in a MongoDB that was in a publicly facing network segment without any authentication required and had been indexed by Shodan (a popular search engine for finding connected things).

Read the full article from here