It's not safe to talk to a teddy bear these days. The Chungking Express scene would be terrible if it happened now.

[51CTO.com original article] The classic scene in "Chungking Express" where Tony Leung Chiu-wai talks to a toothbrush, toothpaste, soap, a teddy bear, and a towel is gradually becoming commonplace. More and more intelligent interactive devices can achieve human-machine interaction and dialogue, such as the robot bears that can tell stories and chat in TV commercials. But you may not know that there are potential privacy and data security risks behind this.

[[184679]]

     Children are very familiar with Teddy Bear toys. CloudPets, a sub-brand of Teddy Bear, has a function that allows children to send and receive voice messages between relatives. However, Teddy Bear was recently involved in a serious security incident. More than 2 million voice messages between children and their parents were leaked, and the email addresses and passwords of more than 820,000 users were also exposed.

Cloudpets being blackmailed

Is it just a leak? Of course not. After the intruders illegally obtained the data, they used it as a ransom. The Teddy Bear toy manufacturer's database has been deleted three times and received three different ransom messages, namely "PWNED_SECURE_YOUR_STUFF_SILLY," "README_MISSING_DATABASES" and "PLEASE_READ".

Security expert Troy Hunt revealed in an article published on his blog that evidence such as the Shodan search engine showed that between December 25, 2016 and January 8, 2017, the user data of Cloudpets smart toys was stored in a public database without any password or firewall protection. Hunt also mentioned that during this period, many third-party organizations or individuals accessed this database, including hackers who stole users' email addresses and hashed passwords from Cloudpets' database.

It is reported that the Cloudpets database is hosted by a Romanian company called mReady, which has a contractual relationship with the teddy bear manufacturer. mReady stores the voice messages in an open MongoDB database, which uses an open Amazon cloud server (Amazon S3) and can be accessed without any authentication. The stolen data includes user profile pictures, children's names and some information about their parents, relatives and friends. This means that anyone with bad intentions can listen to the voice messages as long as they get the correct URL.

A crisis ignored by toymakers

In fact, Cloudpets has long been aware of the data security issues, but still chooses not to take action, completely ignoring the possibility of user privacy being violated. Of course, Spiral Toys, as a toy manufacturer, is not much better.

Spiral Toys' CEO directly denied the data leak: "Users' voice messages were stolen? Absolutely impossible." It was not until last week that the company was contacted by reporters about the incident that they began to admit that there might be some minor problems with the data, but they said that only intruders could access their voice messages after obtaining the user's password. They claimed that the user's password is hashed using the bcrypt algorithm, which ensures that the password is difficult to crack.

Unfortunately, Cloudpets does not have any requirements for password settings. Users can even use the letter a as their password, so intruders can crack many user accounts by simply using some common passwords such as "qwerty or 123456, etc."

It is said that the manufacturer received a total of four warnings, claiming that user data was left online without any protection measures, making it easy for anyone with ulterior motives to obtain it. However, the data remained unattended for more than a week, and there is evidence that the data was stolen multiple times during this period.

"What Cloudpets probably didn't know at the beginning was that the database was in a public place and that a malicious party had access to the data," Hunt said. "Obviously, even though they had changed the security profile of the system, they couldn't change the damage caused by the ransomware, so whether it was an exposed database or a hack and ransomware, those are the ones that are most likely to make headlines and attract attention."

Cloudpets Nightmare Episode 2

The CloudPets nightmare shows no sign of ending, as the smart toy's Bluetooth Web API could be at risk of being remotely hacked, according to the latest news.

Specifically, these toys have a feature that allows a web page to connect to the toy via Bluetooth without any authentication, so that the web page can control the toy and record using the toy's microphone. This feature can also be used to play audio messages. Therefore, this insecure API implementation allows intruders to remotely eavesdrop on homes that have such smart toys. All they need is a mobile phone, a web page, and Bluetooth pairing with the nearest smart toy to start eavesdropping.

Researchers at security company Context Information mentioned that they were investigating the issue of WEB Bluetooth when the CloudPets data leak was exposed. However, now that the investigation has been stopped, Spiral Toys, as a toy manufacturer, will face more criticism.

"When the user first uses the Cloudpets official app, they are asked to click a 'Confirm' button to complete the configuration. At first I thought this was some kind of security mechanism, but it turns out that the toy doesn't need anything," the report said. "When the user first configures the toy, the Cloudpets app will perform a firmware update, and the firmware file is located in the APK. The firmware is only encrypted after confirming that it has passed the CRC (Cyclic Redundancy Check) 16 check, so it is entirely possible to remotely modify the toy's firmware."

The researchers also pointed out that as long as Bluetooth is in a connectable state and has not been paired, anyone can connect to the toy. Because the typical Bluetooth connection range is between 10 and 30 meters, an intruder can connect to the toy at someone else's door and use the microphone to upload or download voice messages.

51CTO recommends:

If you have a Cloudpets account, I suggest you check whether your account has been compromised through Have I Been Pwned?, a website that contains all the user data leaked by Spiral Toys so far.

If you are unfortunately infected, you must first change your account password, and it is best to disconnect the toy from the Internet.

The final advice is that, just in case, it is best to change the passwords of other accounts that use the same password as Cloudpets.

If you have read this far, the editor actually has a suggestion. Instead of talking to toys, it is better to get a pet, just like Fan Bingbing talks to her Garfield cat every day. Maybe it will be safer!

[51CTO original article, please indicate the original author and source as 51CTO.com when reprinting on partner sites]

【Editor's recommendation】

1. Data center basics: cable management and wiring in data centers
2. Software Defined Data Center (SDDC) security issues are in the spotlight
3. Trend analysis: How to make 5G technology more down-to-earth from MWC
4. Where is the limit of data center network bandwidth?