In-brief: the apparent leak of data on owners of CloudPets connected stuffed animals underscores lax security and privacy practices that are common among connected products firms. (Updated with comment from Troy Hunt. PFR 2/28/2017.)
A California-based maker of connected toys is alleged to have exposed information on hundreds of thousands of customers – many of them children – in an unsecured, online database that became the victim of roving ransomware gangs.
The incident, which affected Los Angeles based Spiral Toys Inc. and its CloudPets brand of interactive stuffed animals, is just the latest to highlight the privacy and security dangers of connected playthings. It comes just weeks after German regulators at the country’s Federal Network Agency (Bundesnetzagentur) instructed parents in that country to destroy My Friend Cayla dolls, an interactive doll that the government considers an illegal “surveillance device.”
Here’s what we know: security researcher Troy Hunt wrote on Monday to call attention to what he alleges is a very large security breach affecting the firm Spiral Toys, a connected toymaker based in Los Angeles, California. According to Hunt, data on more than half a million customers who registered their CloudPets products was left exposed online in a MongoDB instance that was accessible from the public Internet and not secured.
According to Hunt, the database was indexed by the search engine Shodan (shodan.io) and discovered by a wide range of individuals – white hats and black. Troy claims that he was personally forwarded data from a database table holding 583,000 records of customer data including user names and hashed password values. Others had been notified of the leak as well, including a reporter for the web site Vice.com. After viewing the leaked data, Hunt was able to verify that the data was legitimate with one CloudPets account holder.
There is a long list of slip-ups cataloged by Hunt and his blog post is worth reading in its entirety. What’s clear is that the customer database in question was exposed and vulnerable online going back at least to late December. In fact, the breach was quickly discovered by security professionals who attempted to notify the company, Spiral Toys, that their customer data was sitting out on the public Internet. Hunt relates stories of at least three well-meaning individuals who notified the company by email in late December or early January about the flaw, to no avail.
What’s also clear is that Spiral Toys had an approach to security that was cavalier – at best. According to Hunt’s post, the company used real customer data in both production and test environments (a Cardinal sin) and then left both databases exposed to the public – a lapse so basic that it doesn’t even warrant explanation.
The company made liberal use of Amazon’s AWS infrastructure to store both images and voice recordings for customers – a common decision for connected product firms. But, according to Hunt’s investigation, Spiral Toys failed to secure that stored information in any way. The obscurity of the data within Amazon’s massive cloud infrastructure was, in short, the only defense separating the public from customers’ sensitive data. Anyone with knowledge of the Amazon Web Services URL for the CloudPets data could access that data, Troy observed.
Furthermore, many of the passwords protecting customer accounts were easily cracked. Troy noted that CloudPets did not place any restrictions on password length or complexity, allowing even single character passwords to protect accounts. That means many leaked accounts were susceptible to cracking.
No surprise, the presence of a massive trove of sensitive customer data in an insecure MongoDB instance didn’t escape notice of cyber criminals. As we and others have noted: cyber criminals and ransomware scammers have been preying on insecure or lightly secured MongoDB databases for months: accessing and encrypting their contents, then holding the databases for ransom.
That appears to be what happened to Spiral Toys’ Cloudpets databases, starting in early January and lasting through the middle of the month, with Cloudpets databases ransomed and deleted on more than one occasion.
SpiralToys makes a range of products, including the Wiggy mobile-connected piggy bank, which was released in November. The company notes that it was founded by “a former senior executive of Disney and Sony,” and is “focused on developing and marketing products and mobile applications in the mobile-connected space.” Email messages sent to Spiral Toys executives by Security Ledger seeking comment were not returned. A message sent to the designated support email for CloudPets bounced.
However, in an interview with Network World, Spiral Toys CEO Mark Meyers said that Hunt’s account was inaccurate. Meyers said his company only learned of the security issue this week and denied that voice recordings were “stolen.” (It’s worth noting that Hunt never said that voice recordings were stolen – only that they are publicly accessible to anyone who knows the location of the stored recordings on Amazon’s AWS cloud.) Meyers also denied that the company’s customers’ data was exposed and defended the weak password requirements for CloudPets accounts (“We have to find a balance? How much is too much,” he told Network World.)
The CEO’s statements “just don’t reconcile with the facts,” Hunt told The Security Ledger on Tuesday, pointing to a long list of evidence that the company was aware of the incident, including a support ticket submitted to Spiral Toys on December 31st, the evidence that the company’s MongoDB database was hacked and ransomed, and the fact that the same database is now patched and online.
A security professional who tests Internet of Things products said the kinds of flaws documented by Hunt are not unusual. “Unfortunately a lot of these kinds of vulnerabilities are not uncommon,” said Deral Heiland, a research lead at the firm Rapid7.
Internet of Things products like connected toys have complex ecosystems of providers – from cloud based hosting firms to mobile application development crews. Security flaws can be introduced at any step in the process, he said. Even if the product itself – in this case, plush playthings, are safe and secure, the ecosystem that supports the connected product may not be.
Still, the ham-fisted nature of the CloudPets deployment surprised Heiland. “Is it common to see a database just exposed on the Internet? Seven or eight years ago it was quite common. But its rare to see test servers and production servers just out there exposed.”
As for Spiral Toys’ claims that customer data was not exposed, Heiland said the fact that those exposed databases were held for ransom is proof enough that the CloudPets data was leaked. “If your database was ransomed, it should be assume that it was compromised. One hundred percent,” Heiland said.
While the kinds of flaws discovered by Hunt and others aren’t unusual, the concentration of them in one product is. So, too, Spiral Toys slow response in addressing the issues raised by security vendors and notifying its customers. As of Tuesday, neither the Spiral Toys or CloudPets website make any mention of the incident. The issue seems to clearly fall within the definition of a data breach under California’s mandatory breach disclosure law. As of Tuesday, however, no such notification has taken place.
Heiland said that even a modicum of security testing prior to release of the CloudPets products would have turned up the security flaws that Hunt reported. He urged companies like Spiral Toys to conduct testing of connected products prior to release and to have a way for security researchers to reach technical staff within the organization when security issues arise.
The CloudPets incident is another sign of growing concern about the privacy and security impacts of connected playthings. In December, consumer groups The Electronic Privacy Information Center, The Campaign for a Commercial Free Childhood, The Center for Digital Democracy and the Consumers Union filed a complaint with the FTC over two toys, the Cayla doll and a robot named I-QUE that it said were recording the voices of children who interact with them, then sharing that data with third parties. The government of Germany subsequently banned the Cayla doll, designating it as a ‘surveillance device’ of the type prohibited under German law.
While the FTC has taken actions against makers of smart televisions and IP enabled cameras for security and privacy lapses in their products, connected toys are a new area. In January, however, the Commission said it was “reviewing” the complaint filed by the consumer groups