Hacked ‘smart teddy’ database of two million personal voice messages lacked even basic password protection – security experts respond

‘Smart’ teddy bears are the latest internet-connected ‘thing’ to be breached with apparent ease by hackers.

A database containing two million personal voice messages – which are are recorded via an app and replayed through the teddy bear when parents are away from their children – along with more than 800,000 customer credentials, didn’t even have the most rudimentary security protections in place.

The CloudPets database – called MongoDB – had neither a firewall nor password protection and was easy to find via internet of things search engine Shodan.

Around 800,000 emails and passwords secured by hashing function bcrypt were compromised.

It’s another blow to the still fairly nascent IoT industry, which is putting computer chips into everything from hairbrushes to cat litter trays.

The general public hasn’t exactly embraced radiation-blocking underwear and the smart fork with unbound enthusiasm – albeit the response to Amazon Alexa has been more enthusiastic. This is hardly likely to change if such frivolities entail huge risks in terms of personal data. Cyber vulnerabilities were a significant factor behind Wired Magazine’s recent prediction that the internet of things bubble will burst in 2017.

Three cybersecurity experts have reflected on the implications of the CloudPets hack below. They also offer their prescriptions for reducing cyber risks in similar scenarios.

David Navin, corporate security specialist, Smoothwall

“That the information gathered by the teddy bear was public and not protected by a password or firewall is baffling”

The idea of an innocent household teddy bear sharing voice recordings, email addresses and passwords of its users may sound like an elaborate plot from a budget Hollywood film, but is in fact a reality faced by over 800,000 accounts linked to the bear. As the IoT becomes increasingly prevalent in the home, ensuring data is stored safely and securely must be an absolute priority.

Parents should feel comforted in knowing that the toys their children play with are secure and private, without having to worry that their personal information attached to that device could be hacked and potentially exploited.

The news that the database where all information gathered by the teddy bear was public and not protected by a password or firewall is somewhat baffling. The fact that the customer data was accessed many times from a whole host of sources goes to show how vulnerable and attractive a company is without the proper security measures in place.

Every company must therefore build a layered security defence which spans encryption, firewalls, web filtering and ongoing threat monitoring to counteract threat actors attempting to steal information.

Rob Norris, VP, head of enterprise and cybersecurity (EMEIA), Fujitsu

“This once again demonstrates how capable hackers are at targeting areas where people may not be thinking too seriously about how their data is being protected”

The fact that hackers have exposed over two million voice recordings of parents and children, as well as 800,000 email addresses and passwords, is a huge misstep. In an era where data is becoming the new currency, all personal data, be it used for a toy or bank accounts, needs to be properly protected.

Cybercriminals are entrepreneurial, well-sourced and motivated. This once again demonstrates how capable hackers are at targeting areas where people may not be thinking too seriously about how their data is being protected and thereby allowing hackers to get what they want.

It also highlights how organisations need to be wary of attacks, as damage could be far greater than they may realise. Consumers too must ensure they use different passwords for different applications and are aware of the security risks, as hackers may be able hack into other accounts using the same information.

As the number of these threats continue to increase exponentially, no businesses nor consumer can afford for cybersecurity not to be their number one priority.

With breaches happening like this on a daily basis, it’s vital that both consumers and organisations take a proactive approach when it comes to security. Organisations need to think about what data they need to protect and focus on the integration of threat intelligence and other information sources, to provide the context necessary to deal with today’s advanced cyber threats.

There must be a clear and well-rehearsed crisis management plan for a breach, addressing internal and external communication. As well as this, consumers need to ensure they use different passwords for different applications and are aware of the security risks when using payment information.

Consumers should consider two-factor authentication alternatives where possible – so passwords are rendered useless on their own – such as facial, voice, iris, palm and fingerprint biometrics for an additional layer of protection.

John Shier, senior security adviser, Sophos

“What’s really disappointing in this case is that it wouldn’t have cost anything to at the very least apply a password to the database”

This is a perfect example of what can go wrong with IoT, in this case when the backend systems to which the devices are connected are not implemented properly. This company clearly should have implemented better security and either chose not to, or didn’t understand the implications of not doing it.

What’s really disappointing in this case is that it wouldn’t have cost anything to at the very least apply a password to the database. Until IoT device makers start to take security and the privacy of their users seriously we will only see more of these kinds of breaches.

Tips from Sophos:

1. Google search to see if the “thing” has been attacked already- Often it is good to choose a brand you think will be around for a year or more so you have someone to ask for updates if something bad occurs.
   2. Don’t connect devices to the network if you don’t have to- If all you want from your TV is to watch broadcast television, you don’t need to connect it to the network. Eliminate unnecessary internet connections when possible.
   3. Make a guest network for your “things” and connect them there – If your home Wi-Fi router allows you to create separate guest networks, you should do so. This will keep untrusted devises off your regular network.
   4. Keep the firmware up to date on all of your IoT devices– Patching is just as important as it is on your PC. It can be time consuming to figure out whether updates are available, but why not make a habit of checking the manufacturer’s website twice a year? Treat it like changing your smoke detector batteries: a small price to pay for safety and security.

Listen to the IFSEC Insider podcast!

Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.

Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.

Listen to the podcast today