First dolls, now teddy bears: IoT toys leak children’s data online
Yes, 2016 was far from a vintage year, but it seems the perils of 2017 are far more insidious. A recent spate of incidents has seen the Internet of Things go awry, with children often victimised by a lack of security. Most recently comes the news that the CloudPets IoT teddy bear left two million voice recordings of children exposed online.
From 25 December 2016 to 8 January this year, the data was left unprotected on a publicly available MongoDB database, according to security researcher Troy Hunt – data which included the email addresses and passwords of over 800,000 user accounts. Predictably enough, the data was pounced on by various third parties, including hackers, many of whom held it for ransom. Bitcoin ransom, that is – the loot of the internet age.
As for damage control, it was non-existent. Spiral, the company that manufactures the bears, has retreated into obscurity, with Engadget reporting that their stock price is all but worthless. They’re yet to confirm the breach, despite being contacted by a number of security professionals to alert them about the security lapse. IB Times spoke to Victor Gerver, the founder of the GDI Foundation which assists online security victims, who took pains to rectify the incident by contacting Spiral: “I have been trying to reach through email, Linkedin, Zendesk, Twitter. I even tried to reach the people via the private email. Never got a response,” he lamented.
Meanwhile, Rapid7 security spoke to Engadget, with research director Tod Beardsley commenting incredulously that Spiral seemed “uniquely uninterested” in addressing the security lapse. It was, he said, “increasingly rare” for a company not to rectify its security ills, with around 70% of companies getting back in touch to devise a restorative plan.
The incident with Cloud Pets joins the ranks of recent security lapses involving children and the Internet of Things. In early January, Amazon’s Alexa ordered a £160 dollhouse upon the accidental request of a six-year old. In isolation this was not hugely problematic; the KidKraft Sparkle Mansion was donated to a local children’s hospital, America cooed at the little girl, and, for their part, her parents garnered an amusing dinner party story. What it triggered – a flurry of KidKraft Mansion orders across San Diego via a local news story playing in the same room as people’s Alexa devices – was more problematic.
Even more troublesome was the recall and requested destruction – yes, destruction – of Cayla dolls across Germany, amid fears that the smart doll was spying on children, like the creepy stuff of horror film nightmares. German watchdogs announced that Cayla was deemed an “illegal espionage apparatus” that compromised the security of children.
Forget “Children should be seen and not heard”. Children should not be seen, nor heard, nor have their data made vulnerable online for third party advertisers or hackers to manipulate. Toymakers should be far, far more vigilant in their methods of storing and securing children’s data. When the incorruptible teddy bear falls victim to the Internet of Things, you know it’s gone too far.