Monday February 27, 2017

IoT Strikes Again As Connected Teddy Bear Leaks 2 Million Recordings and Passwords

IoT connected devices just can't get out of their own way when it comes to internet security. A stuffed animal called Cloudpets that allows you to record conversations and send them to others has been coerced into giving out 2 million recordings along with 800,000 email addresses and passwords allegedly. Spiral Toys is the company behind the teddy bear and supposedly hasn't even been bothered enough to tell it's customers about the security breach.

Is it a security breach if there was never security installed in the first place? The servers holding the recordings and passwords were freely open for hackers to scan and pillage for months as it was alleged that there was no password or firewall installed on the servers. The passwords that parents set could be as short as three letters, so the strong encryption on the email and password files was useless in many cases. Hackers have allegedly deleted the database twice and hold the data in lieu of a ransom payment.

The voice messages themselves were not in the database, according to the researchers. But Hunt found out that they were stored in an Amazon S3 bucket that doesn't require authentication. So as long as hackers could guess the URL of the files, they could listen to the messages. Hunt said he believes that was definitely possible. Moreover, many customers used incredibly weak passwords such as 123456 or "cloudpets," (in part probably because the app allowed users to create accounts even with as short a password as "qwe," as this video shows), making it trivial to log into their accounts and listen to the saved messages.

To make matters worse, the data was exposed two months ago, and since then, the company hasn't notified the victims, nor disclosed the breach.