Bear stuffed animals playing voice messages through the cloud leak millions of recorded data

An IoT device that can play back recorded messages through a cloud at a teddy bear at a remote location can view personal information including photos stored in more than 820,000 user accounts and more than 2.2 million recorded data by anyone It was discovered that it was stored in the cloud server in a possible state.

Troy Hunt: Data from connected CloudPets teddy bears leaked and ransomed, exposing kids' voice messages
https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/

Stuffed toys leak millions of voice recordings from kids and parents - Feb. 27, 2017
http://money.cnn.com/2017/02/27/technology/cloudpets-data-leak-voices-photos/index.html

Security expert Troy Hunt received data including user account information of IoT device for children "CloudPets" from someone in the circle exchanging data infringement information. When Mr. Hunt validated this data, it seems that it proved that it is definitely the data of the real user in CloudPets.

You can see what kind of goods CloudPets is when you see the official movie below.

CloudPets Commercial - YouTube


CloudPets can play messages recorded from applications and others from a stuffed animal such as a teddy bear, or talk to a teddy bear and reply to a voice message.


If you look at the movie, you can see that CloudPets is targeting "grandma and grandchildren who live far away" etc. According to Mr. Hunt, these users have enough knowledge to use Wi-Fi, but people who do not know how their messages are played through the teddy bear It is talking.


When Mr. Hunt investigated the data of CloudPets leaked anonymously, the data of the user is stored in the database "MongoDB"It was stored in a search engine" Shodan "that can search for data breaches of IoT devices.

A person who leaked this information to Mr. Hunt warned that anyone of the user data of more than 820,000 people is readable, and in the WHOIS record of the email address used for CloudPets support page and support page It seems that they tried to contact from the registered company's email address, provider used by CloudPets, etc., but they did not receive any reply.

Security expert Niall Merrigan reports about the hacking method of requesting 1 BTC (about 138,000 yen) instead of recovering the data stolen through MongoDB, but Mr. Hunt said similar ransom fraud Has been done for CloudPets data as well. In addition to the recording data and the photograph, the database which does not require authentication, the name of the child, the date of birth (not including the birth year), the "friends list" that can share the message with the child, and the relationship with the child of the friend of the friend list (Father, mother, grandfather, grandmother) and such private information was included.

Although CloudPets 'database is already closed, CloudPets' maker Spiral Toys has not responded such as requesting the user to change the password, which may violate the law in the United States There are also things. Mr. Hunt said, "I normally contact companies involved in information I knew, but I have no reply from CloudPets and I am irresponsible.Our companies offering online services are unpredictable from someone We should consider feedback, "he says that this case is an idea to notify the appropriate regulatory authorities.