iconimage - Fotolia

CloudPets’ data breach underlines need for secure cloud apps

More than two million voice recordings and e-mail addresses and password data for more than 800,000 accounts linked to an internet-connected toy have been leaked online

A breach of personal data linked 820,000 accounts of users of an internet-connected teddy bear underlines the need for cloud apps to be secure by design, say security commentators.

The leak of nearly 2.2 million voice recordings of children and parents, email addresses and passwords from a MongoDB database was uncovered by Troy Hunt, who runs the HaveIBeenPwned website.

The internet of things (IoT) teddy bear involved is part of Spiral Toys’ CloudPets range of connected stuffed toys designed to enable parents and children to stay in touch through voice messages.

The poorly secured data on a 10GB MongoDB NoSQL database was accessed and copied by would-be cyber extortionists between 25 December 2016 and 8 January 2017.

The MongoDB installation required no authentication to access, and contained links to .WAV files of Cloudpets’ voice messages hosted in the Amazon cloud, which also required no authentication.

The database would have been easy for cyber criminals to find simply by scanning the internet for insecure MongoDB installations using the Shodan search engine.

According to Hunt, the data was accessed multiple times by different parties, including hackers who later held the data for ransom.

Hunt said several attempts to contact CloudPets through various channels were unsuccessful, but Shodan searches revealed that by 13 January 2017, no CloudPets’ databases were publicly accessible.

“It’s impossible to believe that CloudPets, or mReady [which hosts the website that connects to the CloudPets app], did not know that the databases had been left publicly exposed and that malicious parties had accessed them,” he wrote in a blog post.

“Obviously, they’ve changed the security profile of the system and you simply could not have overlooked the fact that a ransom had been left. So both the exposed database and intrusion by those demanding the ransom must have been identified, yet this story never made the headlines.”

Hunt said an acquaintance whose data was leaked had never heard about the exposure and that his private conversations with his daughter had potentially been accessed illegally.

Read more about IoT security

News of the CloudPets data leak comes just a week after Germany banned the popular My Friend Cayla dolls because of fears that the smart toy could be used by hackers to spy on children.

In November 2015, a database belonging to Hong Kong-based toymaker VTech was compromised by hackers, exposing the personal data of 6.3 million people.

“Lax security practices that expose the personal data of children and parents to data-jacking are just unconscionable,” said Zohar Alon, CEO and co-founder, Dome9 Security.

“Customers of public cloud services such as Amazon Web Services and Microsoft Azure have cutting-edge tools at their disposal to manage security in their environments, including identity and access management, network security and application firewalls.

“But the best tools can’t save customers from irresponsible behavior. The agility and ease of use of the public cloud make it just as easy to build new apps that don’t take security into account,” he said.

Security must be baked into design, says expert

Bryce Boland, chief technology officer for Asia-Pacific at FireEye, said there is little excuse for CloudPets’ lack of basic protections for the breached database, but this is unfortunately not an isolated incident.

“This isn’t the first case of a toy manufacturer failing to protect their customers’ information and it likely won’t be the last. The fact is, a baby’s crib is required to meet more rigorous safety standards and testing than connected devices such as baby monitors or connected toys.

“Companies need to bake security into the design of their products. Security can’t be an afterthought. Connected devices such as these need to be designed assuming hackers will try to compromise them. They should be designed so that even if they are compromised and information is stolen, it is useless to the attacker,” he said.

Consumers need to be aware that there will always be potential attack vectors in products connect to the internet, said Boland.

“If there’s no evidence from the company that they have taken steps to secure information, they probably haven’t. In fact, even in cases where companies claim to have taken steps, we sometimes see they haven’t adequately addressed threats.

“Things will probably get worse before they get better. It’s a safe bet that attackers will continue to move faster than manufacturers. This case could’ve been worse – imagine attackers using the toys as Trojan horses to encrypt files on the home network and then demand a ransomware,” he said.

Boland said although he is not usually in favour of regulation, governments need to shift security from an economic externality to a cost of doing business. “Until that happens, these events will continue to be common,” he said.

Read more on Privacy and data protection