CloudPets, a company which makes internet connected toys for children, has suffered a data breach exposing voice recordings between family members as well as sensitive account information.
The Guru reached out to security experts for their reaction on the news.
David Kennerley, Director of Threat Research at Webroot:
“The CloudPets breach is just another in a long list of poorly secured internet-connected devices, although in this case sensitive information was barely secured at all. Aside from the sheer creepiness of hacking a children’s toy, this type of sensitive information can be used by cyber criminals to access a user’s more high-value accounts. The ease with which an attacker can access users’ details including passwords can give them a starting point for accessing other accounts, and sensitive family information can be used to guess passwords and secret questions.
“At the moment we are seeing a number of attacks focused on extortion, with attackers brute-forcing platforms like MongoDB and MySQL. Users are “setting and forgetting” these protocols, tools and software, so we are likely to see more cases hit the news going forward. Companies must ensure that they are securing their devices and the information they collect properly. The CloudPets situation is a prime example of connected device manufacturers being grossly negligent towards the security of their products. In addition, users must be educated on the potential for these devices to generate and store sensitive data, as well as how to use good security practices to ensure their information is safe.”
Richard Brown, Director EMEA Channels & Alliances at Arbor Networks:
“The fact that two million voice recordings of children and their families were exposed online and held to ransom due to an insecure MongoDB installation, highlights just how attractive IoT devices are to attackers because so many are shipped with insecure defaults. A large proportion of embedded systems are rarely if ever updated in order to patch against security vulnerabilities. There are tens of millions of vulnerable IoT devices, and their numbers are growing daily.
“To combat these types of attacks, the solution is twofold. Firstly, users should look to protect their own connected devices, by isolating IoT devices from other services and the internet if they aren’t required. From a business perspective, security teams should implement best practices for ingress filtering to ensure product updates are legitimate from the network. Organisations should also isolate management traffic from data traffic, harden devices and shut down unneeded services, and understand traffic patterns and know what normal traffic looks like.”
John Madelin, CEO at RelianceACSN:
“The security of IoT devices is a growing concern in the industry, but connected toys that are easily accessible by hackers are sinister. The CloudPets issue highlights the fact that manufacturers of connected devices really struggle to bake security in from the start. The 2.2 million voice recordings were stored online, but not securely, along with email addresses and “easily guessable” passwords of 800,000 users, this is unforgivable. It’s clear that Spiral Toys hasn’t put basic security measures in place to protect its customers’ data. Knowing what critical information your organisation holds and why it’s of value to potential hackers, then ensuring that it’s stored securely is a crucial part of security management for any organisation.”
David Navin, Corporate Security Specialist at Smoothwall:
“The idea of an innocent household teddy bear sharing voice recordings, e-mail addresses and passwords of its users may sound like an elaborate plot from a budget Hollywood film, but is in fact a reality faced by over 800,000 accounts linked to the bear. As the IoT becomes increasingly prevalent in the home, ensuring data is stored safely and securely must be an absolute priority. Parents should feel comforted in knowing that the toys their children play with are secure and private, without having to worry about their personal information attached to that device could be hacked and potentially exploited.
“The news that the database where all information gathered by the teddy bear was public and not protected by a password or firewall is somewhat baffling; the fact that the customer data was accessed many times from a whole host of sources goes to show how vulnerable and attractive a company is without the proper security measures in place. Every company must therefore build a layered security defence which spans encryption, firewalls, web filtering and ongoing threat monitoring to counteract threat actors attempting to steal information.”
Bryce Boland, Chief Technology Officer for Asia Pacific at FireEye:
“This is case of a company bringing a connected toy to the market without taking the most basic steps to protect the information of children or their parents. They are using an unauthenticated database and have audio recordings and images publicly accessible. There’s little excuse for this.
It’s not an isolated incident. This isn’t the first case of a toy manufacturers failing to protect their customers’ information and it likely won’t be the last. The fact is, a baby’s crib is required to meet more rigorous safety standards and testing than connected devices like baby monitors or connected toys.
Companies need to bake security into the design of their products. Security can’t be an afterthought. Connected devices like these need to be designed assuming hackers will try to compromise them. They should be designed so that even if they are compromised and information is stolen, it is useless to the attacker.
As the number of connected devices in our lives grows, we are becoming more vulnerable to devices with weak security. This is frustrating for consumers because they don’t have good visibility into these threats or vulnerabilities. Consumers need to be aware that there will always be potential attack vectors in products connect to the internet, and if there’s no evidence from the company they’ve taken steps to secure information, they probably haven’t. In fact, even in cases where companies claim to have taken steps, we sometimes see they haven’t adequately addressed threats.
Things will probably get worse before they get better. It’s a safe bet that attackers will continue to move faster than manufacturers. In fact, this case could’ve been worse. Imagine attackers using the toys as Trojan horses to encrypt files on the home network and then demand a ransomware.
I’m not typically a fan of regulation, but governments need to shift security from an economic externality to a cost of doing business. Until that happens, these events will continue to be common.”
Paul Calatayud, CTO at FireMon:
“As I like to call IoT, the IOMT as in internet of malicious things, news of the teddy bear leak hit on two main issues: 1) the growing use of open source databases, and 2) putting devices on the internet.
MongoDB is becoming a common technology for use in e-commerce due to its flexibility and price (free). Like most things that are free, there are hidden costs in the form of no security confirmations or common security models. This results in what I call security regression, where the best practices become quickly forgotten in the rush to slap an application on the internet. Combine this with devices that are exposed to the internet you have a combination for a hackers paradise.
Consumers needs to be aware that it takes a lot of energy and investments to properly secure their information. If you have a sense the company may not be up to the task, you may want to think twice about what information you are sharing with them.”
Ben Herzberg, security research group manager at Imperva Incapsula:
“Let’s start with the good: Using a slow-to-crack algorithm (bCrypt) was a good choice, and probably prevented additional damage.
With the great increase of IoT devices (from teddy bears like the ones connecting with the CloudPets to medical devices monitoring patients to connected refrigerators), our race for innovation brings a lot of cool stuff to life in a very short time, and this will continue in the next years, as there is a potential to revolutionise the way we’re living.
However, we’ve seen a lot of security glitches from these IoT companies, and they need to understand that Information Security is not a “good-to-have”. We’ve seen 100,000’s of such devices used in Denial of Service attacks, taking down huge organisations. We’re seeing those devices being used in other malicious activities like probing websites for vulnerabilities and attempting to take over accounts.
In conclusion – every company that’s selling devices that connects to the internet must know that in that moment they become a target, and will probably not have a lot of grace time before they start getting attacked.”