IoT Risks Are Worrisome, with Hacked Toys and Privacy in Harm's Way
A database containing account information used by children’s stuffed toys has been hacked, exposing the personal details of hundreds of thousands of parents and their children.
Source: Jef Cozza
The latest security debacle comes courtesy of toys called CloudPets. Marketed as “the message you can hug,” the Bluetooth-enabled stuffed animals are connected to a cloud server, allowing parents and children to record and transmit voice messages through the toys.
However, those messages were being stored in an unsecured MongoDB database that could be indexed using the Shodan Internet of Things search engine, making it easy for hackers to download the database that contained as many as 820,000 email addresses, passwords and more than 2 million associated voice messages, according to reports.
Breaking the Cardinal Rule
Security blogger and researcher Troy Hunt wrote about his discovery of the leaked data on his Web site. “People found the exposed database online,” Hunt said. “Many people and the worrying thing is, it's highly unlikely anyone knows quite how many.”
The database in question seems to include both staging and testing environments. What's unusual is that both environments face the public Web despite containing real customer data, breaking the cardinal rule of never putting production data into a non-production system, Hunt said.
“It also potentially exposes the production system (and production customer data) to developers building the software (another cardinal rule broken), but at this stage when it's entirely open to the Internet anyway, that would be the least of their worries," he said. "The point is, what's disclosed . . . suggests the problems go deeper than data exposure alone.”
Big Sister Is Watching You
But CloudPets aren't the only new devices on the market giving heartburn to security and privacy experts. Amazon’s personal assistant, Alexa, could be used to spy on consumers for the police.
At least, a prosecutor in Arkansas is hoping that will be the case. The Benton County prosecuting attorney has demanded that Amazon hand over voice recordings of an Echo device using the Alexa AI (artificial intelligence) owned by a man who is a suspect in a murder case.
The Alexa assistant is voice activated, and it's always listening. When a user speaks a keyword, the Echo device records all the audio that follows and sends it to Amazon’s servers, where an analysis of the recording is performed.
The Arkansas prosecutor is demanding that the company hand over the audio files the Echo recorded the night of the alleged murder. Amazon has so far resisted the demands, calling them overbroad and inappropriate.
Still, as more devices become connected to the Internet and store more customer data remotely, the risk that even your speakers and your children's favorite toys could be used against you is becoming very real.