It has just been reported that up to 800,000 people who owned a Smart Teddy bear made by Spiral Toys, under the CloudPets banner have had their account data stolen by hackers. Now this blog is about this particular toy, but this could easily apply to other types of “smart toy” so do read on.
What is a “smart Teddy Bear?” I hear you ask. Apparently these toys can send and receive voice messages from children to their parents and vice versa … which is nice. ? While the voice recordings were not apparently leaked, the criminals, using the data they have stolen may be able to access the servers where the recordings are stored and download them.
The data that was stolen included e-mail addresses and “hashed” passwords. This means that the passwords were scrambled, which shows a sensible security practice by the company, as the evil doers will have difficulty in cracking a “hashed” password.
However, that one sensible security practice has been undone by the fact the password policy is such that a single character is acceptable as a password. So the password “e” could be cracked by a hacker in less than a second. If the passwords were a more acceptable 12 characters long with complexity requirements, then we are looking at it taking decades or even centuries to crack a hashed password.
Another security fail by the company was storing the customer data on a particular type of database (MongoDB), which was publicly exposed online and required no form of authentication for somebody to access it … yes folks you read that right … if you could see the database server you could access all of it’s data. ??
If the evil doers had cracked some passwords (and one of the researchers in the linked article did, using the old reliable “123456”), then they could log on to the accounts and download the voice messages left by parents and children for that account.
The company had been notified that their MongoDB database was exposed in December, but they did not seem to take any action. The CEO of the company made some statements defending their handling of the situation and playing down any risks associated with the leak (the statements are quoted in the linked article), but frankly none of them are acceptable.
In fact, come May 25th 2018, if any EU citizen had an account with this crowd and they continued to adopt this laissez-faire attitude to the security of their customer’s personal data, then they will find themselves slapped with a big ol’ fine from the EU under the General Data Protection Regulation (GDPR). That might get their attention. Yes you did read that right. Under the GDPR, a company, anywhere in the world, that stores/processes the personal information of an EU citizen, is governed by the GDPR and can be penalised for breaching this regulation.
So in conclusion, if you have any “smart” or “connected” device/toy/whatever, make sure you have a good, strong, 12 character minimum – with complexity – password for it and any on-line account associated with it. This password should be unique to that device. Come on folks you know that this is important. Your teddy bear is listening after all! ☺?