Cyber Security

Smart Toy Maker implicated in Data Breach, Hackers Demand Ransom for Stolen Messages

CloudPets user data, possibly including children’s voice messages were hacked and held for ransom

According to security researcher Troy Hunt, a series of web-connected, app-enabled toys called CloudPets have been hacked. The manufacturer’s central database was reportedly compromised over several months after stunningly poor security, despite the attempts of many researchers and journalists to inform the manufacturer of the potential danger. Several ransom notes were left, demanding Bitcoin payments for the implied deletion of stolen data.

Cracked-bcrypt-hashes

CloudPets allow parents to record a message for their children on their phones, which then arrives on the Bluetooth connected stuffed toy and is played back. Kids can squeeze the stuffed animal’s paw to record a message of their own, which is sent back to the phone app. It’s a fairly basic idea, and an appealing one for parents who travel frequently or grandparents living at a distance from their families. The Android app has been downloaded over 100,000 times, though user reviews are poor, citing a difficult interface, frequent bugs, and annoying advertising.

Hunt’s exhaustive breakdown of CloudPets’ security problems at the source link below.

Source: Troy Hunt