Skip to content
The Teddy Bears are Listening…

The Teddy Bears are Listening…

When Germany banned a connected doll over security concerns, it wasn’t being overly cautious.

As it turns out, there’s a textbook example of what happens when toy data privacy goes horribly wrong. Security researchers have discovered that Spiral Toys’ internet-savvy teddy bears, CloudPets, stored kids’ voice messages to their parents. This also included names and birthdays in an insecure, misconfigured database that anyone could access online. Over 800,000 passwords for the toys’ accounts were stored in a cryptographic hash with no password strength limit. And it gets worse.

Info security expert Niall Merrigan found evidence that the databases were compromised. Intruders copied the databases, deleted the originals and demanded a payment in bitcoin to get the data back. The databases completely disappeared by January 13th, suggesting that Spiral did not give into or even acknowledge the demands.

As for Spiral’s response?

There is none, and might never be. Microsoft’s Troy Hunt and others have tried reaching out to Spiral multiple times to no avail. The company doesn’t appear to have notified customers despite obvious signs that something was amiss. From all indications, the company is on life support or dead. Its social media accounts have been silent for months, and its stock price is near worthless.

The kicker is that a lot of this would be entirely avoidable. Tod Beardsley,┬áRapid7 security research director, tells Engadget that all of the flaws could have been addressed. However, Spiral seemed “uniquely uninterested” in taking them on. While Rapid7 tends to get responses from companies “about 70% of the time” and almost always sees them implement a fix or workaround when they get in touch, it’s “increasingly rare” for a company to go completely silent.

It’s increasingly clear that connected toy makers are walking on glass when they decide to put kids’ communications online. Even if a company doesn’t do anything shady, it can only take a slip-up to expose extremely sensitive messages to the world. And that’s assuming skilled hackers don’t find it first, or that the company doesn’t go belly-up without a firm plan to erase stored data. This doesn’t mean that companies should abandon internet-capable toys altogether, but they need both weigh the merits of storing any info online and take very, very thorough precautions to make sure that leaks like this can’t happen.

Leave a Reply

Your email address will not be published. Required fields are marked *

Our Clients

Start Network
Church Lukas
Gonzalez Byass
Trinity College London
NG Bailey