Internet-Enabled Children’s Toys Expose Data for Hundreds of Thousands of Users
Internet-Enabled Children’s Toys Expose Data for Hundreds of Thousands of Users
Have you heard of the “Internet of Things”? A relatively newer term, this phrase refers to far more than just Internet-connected thermostats and Wi-Fi-enabled refrigerators. Companies now build network functionality even into children’s toys. As we know from the problems caused by the Mirai malware & botnet, many Internet of Things (IoT) devices feature serious security flaws. Recently, the intersection of toys with these security flaws resulted in the exposure of a staggering amount of user information.
A popular item last Christmas season, the “CloudPets” brand of toys advertises a unique selling point: the ability for parents to share messages with their children from afar through their favorite stuffed animal. While it sounds heartwarming in concept, in practice the company behind the products implemented nearly no precautions to protect the user data obtained from using those features.
In fact, the entire database of user information was on the web without any security — not even basic password protection. Thus, all 800,000 user records leaked. Subsequently, hackers destroyed the database twice during ransoming attacks related to other vulnerable databases. While it wasn’t possible to see users’ passwords inside the database, many passwords were so insecure it was easy to determine what they were.
Making matters worse, perceptive hackers could potentially deduce the location of all the voice recordings for a customer through this data. Again, this information was left in an unsecured location on the web, making it possible to guess URLs and find this information. The manufacturers have not responded to any of the news about these breaches nor notified users that hackers may have stolen their information. This egregiously lax attitude further highlights the dangers of trusting digital products without proper vetting; there is seldom a way to tell whether a company will be a good steward of your information.
When purchasing products that advertise Internet functionality, it’s important to ask: is it necessary? Often, alternatives to these products work just as well without the inherent security risks. Until more companies begin to implement viable security on their devices, users should remain extremely wary of IoT products.
As the CloudPets debacle makes clear, you may not even know that an IoT product exposes information about you until it is too late. At the same time, the appalling level of password security found in the leaked credentials reveals the continued need for better password practices by users. Next time you’re purchasing products for your home, you may want to think twice about IoT options.