
CloudPets teddy bears leaked and ransomed, exposing kids' voice messages - 0x0
https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/
======
teraflop
For anyone who is coming straight to the comments before reading the article:
the details are even worse than the headline suggests.

Not only was a huge amount of information exposed through a public,
unauthenticated MongoDB instance, and not only did CloudPets ignore multiple
security researchers' attempts to alert them to the problem, but the database
was actually held for ransom _multiple times_ without customers being alerted
to the breach.

~~~
nvarsj
This is _insane_. My daughter got a surprise cloudpet for her birthday from a
distant relative. The app you have to use with the cloudpet is also filled
with ads, some of which are of adult nature. This company is sleazy as hell. I
hope they get sued out of existence.

~~~
lazyasciiart
They basically failed out of existence before this even happened (the article
includes details on their share price sliding to nothing earlier last year),
which is probably one reason they didn't bother telling customers about it.
This is probably the best example I've ever seen of the dangers of trying to
keep a service running once the company behind it has gone under.

~~~
shostack
Why did they fail aside from security issues?

~~~
minimuffins
just a guess: their product is stupid

------
orf
A guy I work with did a presentation on this product, he is big into reverse
engineering bluetooth devices. I can assure you the toys themselves are just
as insecure as apparently their infrastructure is.

Seeing it light up and say "destroy all humans" was pretty funny, moreso
because there is pretty much zero authentication on them so you could do it
from anywhere from your mobile, and the mic can turn on and record without any
authentication at all.

 _sigh_ internet of things

~~~
0xfeba
The "S" in IoT stands for Security.

~~~
Crosseye_Jack
Some of us do give a shit about security. It's just a shame that it feels like
we are the exception to the rule.

~~~
elorant
We do because we realize what the lack of it entails. So will the general
public, eventually. And the only way to get there is if more cases like this
start happening. It's a shame they have to learn the hard way but there's no
other way. That, or we as an industry act up (in ways I can't even fathom).

~~~
mulmen
The fact that you allude to it suggests you can fathom it in some way. Maybe
you don't want to but clearly bad actors can exploit insecure systems and
that's especially easy from the inside.

~~~
elorant
Sure I can, but they're all unrealistic so no point mentioning them. We could
for example start boycotting companies that don't take security seriously. But
I'm afraid we'd end up with a very, very long list.

Publicity can work wonders. You end-up with sensitive data for kids in the
wild, possibly in the hands of perverts, nothing could work better than that
in raising awareness for the general public. It's harsh, but it fucking works.
So we'll stick with it for now, unless someone comes with a better idea.

~~~
otakucode
Lawsuits for criminal negligence against the CEOs of the companies themselves
would be a damn good start. Their business practices are why these problems
happen. They cut every corner they can find, put business school grads in
charge of deciding schedules and resource allocation to engineering, and make
sure that if an engineer says 'we need more time and testing' that any low-
level manager can tell them business goals come first.

------
cm2187
> _The Germans had a good point: kids ' toys which record their voices and
> send the recordings up to the web pose some serious privacy risks. It's not
> that the risks are particularly any different to the ones you and I face
> every day with the volumes of data we produce and place online (and if you
> merely have a modern phone, that's precisely what you're doing), it's that
> our tolerances are very different when kids are involved_

It's a bit paradoxical. There are way less things a kid can say that can get
him in trouble than an adult. Even the most oppressive regime will not hold
what a 4yo toddler says against him. The need for privacy should rather be
less for a kid than for an adult.

What it means is that violations of privacy are creepy, period. We try to
rationalise it by arguing that we get something out of it, but when dealing
with our kids, we stop believing our own bullshit and it is just becomes
purely creepy...

~~~
mirimir
First, it's not just about "get [them] in trouble". Think about ten years
later. Do we want adversaries to have logs of children's conversations?

Also, It's not just recordings. Once an adversary has account access, they can
talk to children. I can't imagine that being a good thing.

~~~
mulmen
Additionally, what benefit do we have to gain by preserving these recordings?
The whole thing seems massively risky for no reason other than to make a few
bucks.

~~~
TeMPOraL
> _The whole thing seems massively risky for no reason other than to make a
> few bucks._

That's, unfortunately, the very reason why most of IoT stuff exists.

------
nkrisc
When will these companies be held liable for beaches like this? The time for
feigned ignorance is over, this is negligence at the best, outright greedy
indifference at the worst. There are no more excuses.

------
dTal
Okay, first of all:

>the average parent.. is technically literate enough to know the wifi password
but not savvy enough to understand how the "magic" of daddy talking to the
kids through the bear (and vice versa) actually works [or] that every one of
those recordings... is stored as an audio file on the web.

If it is not considered amazingly stupid, or at least ignorant to not
understand that the magic talking bear has a computer in it, and that if the
computer wants the wifi password it probably uses the internet, and that if
the entire purpose of the device is to make recordings available to you over
the internet... then I despair. My sympathy for people who buy these sorts of
products is wearing thin. But, in this particular instance...

>our tolerances are very different when kids are involved

Interesting. Why? The data is much less valuable:

>One little girl who sounded about the same age as my own 4-year old daughter
left a message to her parents: "Hello mommy and daddy, I love you so much."
Another one has her singing a short song, others have precisely the sorts of
messages you'd expect a young child to share with her parents.

Hardly identity thief material.

~~~
gavman
> Hardly identity thief material.

True, but potentially very dangerous material in other ways. It's not hard to
image kidnappers piecing together stolen audio clips to create fake messages
as part of a ransom attempt. Or scammers creating audio clips to scare parents
and extract money. A large bank of audio clips from a child could be used
against that child's family in all sorts of ways, especially if the parents
don't know the clips were stolen to begin with.

~~~
ourmandave
I don't understand. If I got a call in my daughter's voice saying "Help! I'm
being held for ransom! Send all the bitcoins!" And then I call her phone and
she answers or she walks in the door having gotten home from school, how is
anyone going to collect on that?

~~~
mulmen
I might watch too many spy movies but maybe they wait for a time she will be
away from her phone, like the camping trip she has been talking about for
weeks or a school field trip that can be easily learned and googled from
conversations about class or sports competitions based on googling team names.
These are all things that are likely to come up in regular, routine
conversation.

The real question is why you wouldn't already be terrified about having a
microphone in your house that is open to the internet.

------
Taek
Is there a fine for this? Some sort of punishment? Companies need to be taking
security seriously, we are all paying the price.

Internet-of-Shit will remain exactly that until neglecting security is a
substantial threat to the bottom line of a company.

They ignored multiple warnings? Got hacked multiple times? This is negligence,
and this company should be fined out of business.

~~~
f_allwein
Judging from other comments, it seems they're on the way out anyway. But the
question of fines etc. is interesting...

~~~
deathanatos
The corporation might be, but this seems like the level of gross criminal
negligence that a _person_ should be held liable for.

~~~
callalex
I'm not necessarily disagreeing but that seems fundamentally opposed to the
way a LLC works.

~~~
TeMPOraL
Failing at business is one thing, doing people-hostile things should be
another. I'm all for reducing the personal risk of doing business for
entrepreneurs, but for antisocial actions, there should be personal
consequences.

------
Animats
"CloudPets can send and receive messages from anywhere in the world! Buy
Now".[1] They delivered on that, all right.

If you want one, they're now available for the low, low price of only $3.[2]
Including WiFi.

[1] [https://cloudpets.com/](https://cloudpets.com/) [2]
[https://www.hollar.com/products/as-seen-on-tv-cloudpet-
dog](https://www.hollar.com/products/as-seen-on-tv-cloudpet-dog)

~~~
rasz_pl
$3 is a great price for a stuffed animal, not to mention IoT BT/Wifi platform.

------
janwillemb
Apart from the total disaster these kind of incidents are, they serve a
valuable purpose: material to educate my children about security. It is
surprising to see how quickly my 9-year old daughter picks up the message,
especially by these kind of stories.

~~~
vidarh
My 7 year old son is rapidly becoming far more hostile to anything from ads to
privacy invasions because it is simply making up a far bigger part of his life
than it does for me.

I wonder how children learning about these things from such a young age will
play out once they're gron up.

------
tudorw
IoTTDWAMBTPCHGOOBOABS

'Internet of Things That Don't Work Anymore Because The Company That Made Them
Has Gone Out Of Business, Oh, And Because Security'

------
kriro
Who's the goto "freedom/privacy marketing" organization (EFF seems to be legal
only)? This is an excellent propaganda for freedom opportunity. It involves a
creepy invasion of privacy targeting children. Needs to be used in a massive
campaign against (insecure) IoT ASAP.

~~~
hidden-markov
Privacy international.

------
snug
Should we call this PetsBleed?

~~~
bbcbasic
No. CloudBleed was insult enough to the "Bleed" suffix. This is taking it too
far.

------
atemerev
I had a bear like that (not CloudPets, but looks like an exact clone).
Thankfully, it was only used by my daughter with my supervision, so I know
exactly what has been said. Unless the mic was enabled remotely, that is.

I assumed that the security issues might be bad, but placing the voice on
unsecured Mongo facing public Internet is beyond shit.

Thankfully, I have disabled the bear long time ago. But now I worry about my
NetAtmo station, which contains an always listening microphone to "measure the
noise pollution". Yeah, right.

~~~
scott_karana
"Always listening" is meaningless marketing drivel.

 _Anything_ with a microphone might always be listening, and you probably
can't (easily) verify whether it's on-demand or not ;-)

------
jasonlotito
As an interesting side note, this is also seems to be built on top of the
Parse Node.js self-hosted server, based on the schema provided.

------
otakucode
Until executives of tech companies are convicted for criminal negligence, this
will never improve. The current accepted business practices in tech are
abominable and criminally reckless. If a company building housing was as
negligent in hiring unqualified cheap talent, ignoring reports from engineers
about needing more resources or time in deference to business goals, etc, they
would be tried as a criminal and face time in prison.

Put some CEOs in handcuffs, lock them in a cage like an animal, and see how
quickly companies actually start doing crazy things like mentioning the word
'security' in job listings for software engineers or system administrators or
even doing the unthinkable, hiring experienced expensive engineers.

------
coldpie
For goodness's sake. Stop connecting things to the Internet.

------
Kiro
> As you can see by loading the image, all that's required to access the file
> is the path which is returned by the app every time my profile is loaded.

How else would you do it?

~~~
bigiain
Put it behind the webapp's authentication and access control layer - so only
logged in users with relevant connection/permission to the requested image can
get it.

------
mattbgates
Companies have to get more involved in actually encrypting their data before
entering it into the database. For every web app I create, especially when
sensitive information is exposed, I try to encrypt as much data as possible.
With all the leaks and hacks.. it only makes sense to add some encryption
method in there.

~~~
TeMPOraL
The real issue is, companies should not touch, and especially not _store_ data
unless absolutely necessary, and only store it for as long as it's needed and
not longer.

There is a German word for that. Datensparsamkeit.

[https://martinfowler.com/bliki/Datensparsamkeit.html](https://martinfowler.com/bliki/Datensparsamkeit.html)

Actually, and probably for the first time ever, I completely agree with
Fowler:

"Datensparsamkeit isn't just about bad people stealing data, it's also about
your relationship with the primary company themselves. The default attitude at
the moment is that any data you generate is not just freely usable by the
capturer but furthermore becomes their valuable commercial property. Privacy
advocates, including me, think this assumption needs to be changed. Companies
should only capture what they need and the burden of demonstrating need should
fall on them. In addition, of course, they must be completely transparent
about what they capture, what they store, and who they share their data with."

This, I believe, _needs_ to be enforced by regulations, worldwide. Businesses
won't do it themselves, because it's a clear case of conflicting social and
monetary interests.

~~~
porker
> Actually, and probably for the first time ever, I completely agree with
> Fowler

Upvoting you just for that. <3

------
graystevens
I'm working on an idea in the security space, that focusing on data breaches
and attempting to identify them early. Keen to validate the idea, so if any
fellow startups or businesses are interested, I'd love to talk and see what
people think. Email is in my profile.

------
FullMtlAlcoholc
I don't want to be sophomoric or immature, but I just wanted to point out that
a company whose initials are CP makes teddy bears for children.

And now audio of children has been hacked, exposing kids voices. The future is
here, and it's weird.

------
Walf
So it could all have been avoided if they'd made it unnecessary to identify
oneself and paired app with toy via decent public key encrypted
communications. I think the toy is a good idea, it just had a shit
implementation.

------
ohstopitu
Can someone explain to me why a teddy bear need to be connected to the
internet?

Especially in this fashion?

Why can't we just have a BT connection between the device and the phone and
IAPs in the phone if they must?

------
shostack
Non-engineer here...

What is the significance of this being Mongo vs any other poorly/unsecured DB?

~~~
tclancy
I don't know that it's Mongo-specific, it's more that newer storage engines,
in an effort to be user-friendly, shoot to essentially be zero-configuration
out-of-the-box. You install it, run the daemon and can immediately connect so
you get that positive feedback the engine is easy to work with. This typically
means there's no username/ password required and it's listening on its port to
all responses (inside and outside whatever firewall you have). So you start
it, connect to see that it works and think, "I should _really_ secure this
like it says in passing in the docs, but let me try a couple more things
first". All of a sudden it's three weeks later, your MVP is ready to launch
and the username/ password has been forgotten.

Other stores may let you get away with setting up "root/ root" or "admin/
password" but at least they have forced you to think about setting up some
security. It's a trade-off, but it's a crappy one IMHO. There's no risk to
Mongo, et al: they told you to set up security but didn't force you because
they want you to pick their product.

------
stefek99
Looking at the stock price - the whole company is in the state of disarray.

Massive negligence.

------
simplemath
IoT should die a swift and permanent death.

Alas, that wont happen.

~~~
Mister_Snuggles
I'd love to see the INTERNET of Things be replaced by the INTRANET of Things.

Remote access can be handled through a VPN, so there's no need for a remote
server. I'm assuming that the device in question has computing hardware that's
at least on par with a $9 CHIP.

What's really needed is for secure and easy to set up VPNs (to connect back to
your home network) to become a thing, then the remote access problems are
taken care of. After this, each IoT device's app just needs to look for the
device and possibly give the user a gentle VPN reminder if it can't find it.

Of course, a VPN introduces a lot of extra work for the user. Even the steps
to connect/disconnect from the VPN add enough friction that some people won't
bother.

~~~
caf
So as a rough straw man sketch of how such a thing could work:

1\. Consumer grade routers include a secure VPN endpoint. Whenever the router
connects, it registers its internet-facing address with some vendor-specific
DNS service under a name unique to that router but persistent at least until
the router is factory-reset.

2\. Devices on the local WiFi network can request a VPN access token.
Optionally this requires a separate password set in the router, or pressing a
physical button on the router _a la_ WPS. As part of provisioning the token,
the vendor-specific DNS name is also provided to the device. The provisioning
process requires connecting back to a listening socket on the client device.

3\. Devices (eg your mobile phone / tablet) provisioned with a VPN access
token can then connect back in to your local network remotely. Each VPN access
token is time-limited, configurable on the router but generally something in
the range of 7 to 60 days. After the token expires you must connect back
locally to the local network to renew it - renewal is blocked over the VPN
connection itself.

4\. The router interface can be used to list and manually revoke access
tokens.

5\. The client device can automatically connect to the VPN, eg when requested
by an app for one of these IoT devices. On operating systems like Android and
IOS, access to the VPN should be restricted to a specific granted permission.

~~~
Mister_Snuggles
I like this idea.

I honestly think most of the pieces are there. My old router, an ASUS RT-
AC56U, has an OpenVPN server built in. It also supports dynamic DNS through an
Asus-provided service. iOS (and probably Android) supports VPN-on-demand.

This is basically all of the infrastructure needed to do what you suggest.

The only piece missing is the easy-to-use provisioning/management piece.

~~~
SomeStupidPoint
It's not totally secure, but why not just a physical button that enables a
bluetooth device that transfers a token?

I think you could even have a BT pin, so it would require a little security
(eg, neighbors don't have your pin). It should be relatively straightforward
to have a BT profile for "token authority".

It certainly would be reasonably easy to use on most devices: just press
button and connect to the token device.

~~~
caf
I think it makes more sense to use the WiFi radio, if for no other reason than
adding a BT transceiver to the BOM is probably a nonstarter.

------
chinathrow
Internet of bear poo.

------
matt_morgan
I wonder what cloud-connected pets the Trump and Trump-Kushners have.

------
coleifer
Oh god, it's a kids toy. It's meant to be something fun and cute. What a bunch
of jerks to go messing around with that.

~~~
Scott_Helme_
How about 'what a bunch of jerks to connect it to the internet and not secure
it properly'?

~~~
r1ch
The company was tanking and they were looking to make a quick buck. What
market motivation would they have to spend extra time and money securing it
properly? This is a fine example of why we need IOT regulation.

~~~
wyager
> This is a fine example of why we need IOT regulation.

Cool, let's just inundate the industry with pointless government "security"
checklists that don't actually accomplish anything. That way, instead of a
small fraction of all the cool, affordable products we now have access to
occasionally getting hacked, we can just not have any cool, affordable
products except those made by companies big enough to hire enough corporate
lawyers to CYA their way to government approval.

How about, if you care so much about teddy bears getting owned, you just don't
buy them? It's easier and more polite than taking them away from everyone else
as well.

You can't legislate security into existence. That's not how it works. Security
isn't a solved problem, so the government can't force people to do it
correctly. The _only_ think you can possibly accomplish is either making
products more expensive (with no/negligible actual security benefit) or
removing them from the market entirely.

~~~
ajmurmann
I agree that regulating this will just cause security theater. However, it's
also unreasonable to expect non-technical consumers to understand what's going
on and what the implications of their choices might be for any given IoT
device. Many probably would have a hard time deciding what devices are even
IoT. Maybe this is a gap that could instead be filled by a consumer review
product service that focuses on IoT devices and their security. I expect that
the general public didn't care enough though to make this viable. Maybe once
more toys got compromised...

Edit: I also wonder if stronger punishments for people involved in extreme
cases like this would help. If you make a reasonable effort to secure your
service and get hacked anyway that's one thing. But not even attempting to
secure your service at all is something you shouldn't get away with. Of course
the problem is how "reasonable effort" would be interpreted legally.

