California based smart toy manufacturer Spiral Toys who are well known for their product “CloudPets” has been banned from stores in UK and US after been subjected to numerous security vulnerabilities.
The cuddly smart toys contains a microphone, a speaker and a Bluetooth with a 10-30 metre range which pairs the toy to mobile devices which further allows the toy to act as a receiver and transmitter to the conversation between them and anyone around the globe connected. The technology used in the product is up to date. However, it lacks user’s data security. The conversation held using the toys gets stored in a cloud database system using mobile application. The database is said to be unsecured.
Spiral Toys, said, “The hackers would only be able to access recordings if they managed to guess the passwords”.
Security researchers have found that 820,000 users’ details could be accessed in a public database without a password. They also discovered that passwords in place were easily guessable – such as “12345” or “password”.
Troy Hunt, a web security expert, well known for his website “Have I Been Pwned?” has a major name in the tech industry. He wrote in his blog that the data is stored on a cloud with no security measures; he also expressed concern that there were no password rules at all.
Context Information Security is a London based company, revealing that it had found another flaw with the toys that meant hackers could trigger their own recordings in order to spy on owners. A report states that “Anyone can connect to the toy, as long as it is switched on and not currently connected to anything else”.
The Mozilla Foundation, which develops Firefox, subsequently commissioned a German research company to carry out further tests on their security. The Report found that the second flaw had not been fixed yet. It reported a further problem that the toys’ and showed that the app referred users to a website whose domain registration had lapsed.
Mozilla shared the findings with digital rights group “The Electronic Frontier Foundation”, which wrote a letter to US retailers selling the items.
“What CloudPets demonstrates is the potential privacy risks that even a toy with limited connectivity can pose,” it said.
Ashley Boyd, vice-president of advocacy at Mozilla told the BBC. “I’m a mother of two young kids, in a world where data leaks and breaches are becoming more routine, and products like CloudPets can sit on store shelves, I’m increasingly worried about my kids’ privacy and security”.
Although, the toys are no longer enlisted on Amazon store. Ebay is still on the move to remove the product. UK stores Tesco and The Entertainer both appear to have stopped selling CloudPets after the earlier reports. The mobile apps are still available on Google and Apple app stores.