Security in the digital age continues to be an uphill battle and it’s claiming many victims along the way. CloudPets is a line of children’s toys — namely teddy bears — that are internet connected and interactive, unfortunately, CloudPets just exposed millions of kids voice messages along with parents emails and passwords. The data being collected by CloudPets was being stored in a MongoDB on a public network with no security measures in place. That basically means every personal message exchanged between the toy and the child was readily accessible by anyone.
“Lax security practices that expose the personal data of children and parents to data-jacking are just unconscionable,” said Zohar Alon, CEO and co-founder, Dome9 Security. “Customers of public cloud services such as Amazon Web Services and Microsoft Azure have cutting-edge tools at their disposal to manage security in their environments, including identity and access management, network security and application firewalls. But the best tools can’t save customers from irresponsible behavior. The agility and ease of use of the public cloud make it just as easy to build new apps that don’t take security into account.”
Microsoft Regional Director and MVP Troy Hunt outlines the entire breach in his blog post and also claims he contacted CloudPets about the security issues. Hunt says the company was aware of the problem even before his emails and seemed to just ignore the situation altogether.
Circling back to the parents’ position for a moment, you must assume data like this will end up in other peoples’ hands. Whether it’s the Cayla doll, the Barbie, the VTech tablets or the CloudPets, assume breach. It only takes one little mistake on behalf of the data custodian – such as misconfiguring the database security – and every single piece of data they hold on you and your family can be in the public domain in mere minutes. If you’re fine with your kids’ recordings ending up in unexpected places then sobeit, but that’s the assumption you have to work on because there’s a very real chance it’ll happen. There’s no doubt whatsoever in my mind that there are many other connected toys out there with serious security vulnerabilities in the services that sit behind them. Inevitably, some would already have been compromised and the data taken without the knowledge of the manufacturer or parents.
For a very comprehensive and detailed write-up, we suggest you visit Troy Hunt’s website at the link below as he has a plethora of information, examples, and screenshots.
What do you think of yet another IoT security breach? Let us know in the comments below or on Twitter, Facebook, and Google+.Source: Troy Hunt