‘Smart’ teddy bears that have listened to the voices of children and parents have been pulled from Amazon’s online stores after researchers said they were riddled with security flaws.
Walmart and Target stopped selling the online toy CloudPets last week. Amazon then removed the toys on Tuesday morning.
Mozilla contacted Amazon yesterday to alert the firm of research that shows new vulnerabilities on CloudPets.
‘Smart’ teddy bears that have listened to the voices of children and parents have been pulled from Amazon’s online stores after researchers said they were riddled with security flaws
‘In a world where data leaks are becoming more routine and products like CloudPets still sit on store shelves, I’m increasingly worried about my kids’ privacy and security,’ Ashley Boyd, Mozilla’s vice president of advocacy, said in a statement.
CloudPets are a soft toy that allows parents and children to record voice messages to one another through a microphone installed in the bear.
An app on a parent’s phone allows for messages recorded through the bear to be received remotely by the parent.
The parent can then respond by recording a message through their phone which is then sent to the bear.
Messages sent through the bear or app went through the internet and were stored online as audio files by toy company Spiral Toys.
Consumer advocates have raised alarms about children’s smart toys’ insecure wireless connections, which could leave them open to attack by hackers or strangers
In 2017, hackers were able to access the online database and obtain email addresses, passwords and voice recordings from children, which cybercriminals then held for ransom at least twice.
More than 800,000 people were affected by the breach.
The voice messages were not stored in the exposed user database itself, but were easily accessible via a separate data ‘bucket’ that didn’t require any authentication to access.
Additionally the app allowed users to create weak passwords such as ‘12345’ or ‘cloudpets’ making it easy for cyber criminals to log into user accounts and listen to their messages.
Mozilla worked with a cybersecurity research firm called Cure53 to test vulnerabilities after the original breach in 2017.
They found that the Bluetooth vulnerabilities that led to the first attack were still open, according to CNET.
‘The company clearly does not care about their users’ security and privacy being violated and makes no effort to respond to well-meaning attack reports, further facilitating and inviting malicious actions against their users,’ the researchers wrote in their report.
Researchers also found that their mobile app refers users to a website called ‘mycloudpets.com/tour’, a domain that is for sale and could be accessed by potential criminals.
In 2017, hackers were able to access the online database and obtain email addresses, passwords and voice recordings from children, which cybercriminals then held for ransom at least twice. More than 800,000 people were affected by the breach
The toys effectively speak and play with children based on messages transmitted over the airwaves through tiny Bluetooth or Wi-Fi aerials. Which? found that the Bluetooth connection on the four toys had not been secured
CloudPets also had a third vulnerability, researchers said, that would allow hackers to install firmware to the toy without any security checks to stop them.
This would allow them to take control of the toy, along with any data that passed through it.
‘We also urge you to consider putting in place new or improved systems to ensure that products you stock, especially those that collect the information of children, have basic practices in place to respect the trust that consumers place in them,’ Mozilla said.