[Updated] Teddy bears involved in hacking 800,000 user records

UPDATE: This story was first published March 2.

Teddy bears that send and receive audio messages via smartphones have become the center of a major security threat. Spiral Toys, which manufactures the Internet of Things-enabled toy bears under its CloudPets brand, has left more than 800,000 customer records and 2 million audio recordings exposed.

Spiral Toys held customers’ emails and passwords on a MongoDB database that was reportedly neither password-protected nor behind a firewall, leaving it vulnerable to attack. Moreover, the database had been indexed by Shodan, a search engine that makes it easy to find unprotected websites and servers.

The voice messages were held on a separate Amazon S3 bucket. However, because the app and its users had such poor password practices, hacking into customers’ accounts and listening to saved messages would be relatively simple.

Password requirements

The exposed data was secured with the hashing function bcrypt, but CloudPets’ app didn’t set any requirements for users’ passwords, making them much easier to crack. Customers could, if they wished, create single-letter passwords. While there are no recorded passwords quite that simple, Troy Hunt, a security researcher who runs Have I Been Pwned, reported that many customers used incredibly weak passwords, such as “qwe,” “123456,” or “cloudpets”.

A “minimal issue”?

Around 2.2 million voice recordings are thought to have been exposed following the breach, but remarkably, Mark Meyers, the CEO of Spiral Toys, claimed that the breach was a “very minimal issue.”

Spiral Toys went on to claim that there was no direct evidence that the information got into the hands of hackers.

If this is true, Spiral Toys was incredibly lucky. At the time the information was exposed, several cyber criminals were actively scanning the Internet for exposed MongoDB databases and, according to Motherboard, CloudPets’ data was overwritten twice during this period.

In Hunt’s blog, he claimed that a hacker left a ransom for Spiral Toys on their database, but his message was overwritten by another hacker. He couldn’t confirm whether or not either of those attackers exfiltrated any data.

Both Hunt and Victor Gevers, the chairman of the non-profit GDI Foundation, believe the CloudPets database is currently circulating on the dark web. This is particularly concerning, given the latest announcement that the toy bears themselves are insecure and could easily be hacked and turned into spy devices.

Teddy bear spies

Anyone within range of a CloudPets bear – around 30 feet (or more with a directional antenna) – could connect to the toy and receive audio from the microphone, wrote Paul Stone, a security researcher who studied how the toys work.

That means that the teddy bears could be turned in into remote surveillance devices. If you think that sounds like something out of a Thomas Pynchon novel: you’re not wrong.

Stone also observed that a potential hacker could play a message through the bear. In a video that Stone shared with Motherboard, he showed how he could make the toy repeat any message he wanted.

“Exterminate, annihilate, destroy,” the unicorn-shaped pet toy says in the video.

Update: Backlash

Since the CloudPets breach was first reported, the company has faced a series of further embarrassments. Soon after we originally published this story, another vulnerability affecting the toys was discovered – this time the fact that they are not secured against remote exploitation via the Bluetooth web API.

Spiral Toys was then sent a letter by a US Senator, who demanded answers about the security of its toys. Bill Nelson (D-FL), a ranking member of the Senate Committee on Commerce, Science, and Transportation, wrote to Mark Meyers with 10 questions, including a request for a detailed summary of the breach.

The incident has also seen CloudPets become the subject of ridicule on social media, particularly after one Twitter user claimed that CloudPets products are now on sale at a 99 cent store:

Lessons to be learned

It’s not unusual for companies to go to market with some known risk to their products, but as Tim Prendergast, co-founder of Evident.io, wrote in response to the CloudPets breach, the vulnerabilities should always be fixed once the pressure to meet a release date is off.

“Today, we see companies getting destroyed at an increasing rate because they’re not building security into their development and deployment processes,” Prendergast wrote. “They wait until the last possible moment to discuss and implement security measures, which can leave them open to attack or ransom. In some cases, it can put them out of business.”

This breach may well put Spiral Toys out of business. Even before the vulnerability was made public, Spiral Toys was worth less than half a cent a share, and – as you might expect – its value has fallen further in the past month.

Subscribe to the Daily Sentinel for updates on this story and all the latest cybersecurity news.