Security Through Education

A free learning resource from Social-Engineer, Inc

  • Newsletter
  • Contact Us
  • Social-Engineer, LLC
  • The Human Hacking Conference
  • The Human Hacking Book
Home
  • Home
  • Blog
  • Podcast
  • Framework
  • More
    • Social Engineer Village (SEVillage) at DEF CON
    • SEVillage at DerbyCon
    • The Human Hacking Conference
    • What is Social Engineering?
    • Newsletter
  • Home
  • About
  • Blog
  • Podcast
  • Framework
  • EVENTS
    • Social Engineer Village (SEVillage) at DEF CON
    • SEVillage at DerbyCon
    • The Human Hacking Conference
  • Resources
  • YouTube
  • Linked In
  • Twitter
  • Facebook

by Social-Engineer • March 2, 2017 1 Comment

Not Your Average (G.I.) Joe

Back in 2015 we reported on the possible vulnerabilities in the IoT web-connected Hello Barbie doll, and the possibility of privacy and security breaches from the cloud stored communications of children.  Two weeks ago Germany banned the interactive Cayla doll from stores and issued warnings to parents that had purchased it.  The Cayla doll was found to be insecure and violated Germany’s laws against concealed surveillance devices.

Not Your Average (G.I.) Joe

On Monday it was announced that these concerns were again realized by recent attacks against CloudPets plush animals.  CloudPets allows parents to utilize a smartphone app to leave messages for their children on the plush toy, and children can send messages to their parents in return.  Profile data such as email addresses and passwords were all stored on an unsecured MongoDB; in fact, it was so insecure that it had neither password nor firewall protection.  While the account passwords were hashed, they were easily cracked as many were as simple as “cloudpets” or “1234567”.  The actual messages were found to be stored on an Amazon server that didn’t require authentication either, and all an attacker had to do was guess or slightly change the URL to gain access to the recordings.

During the writing of this blog, more appalling data was discovered about the vulnerabilities of the CloudPets.  Anyone within Bluetooth range is able to connect to the plush and record what it is hearing at the time, or upload a message of any nature for it to play to the child.  It essentially could turn the toy in to an eavesdropping device in your home.

Security researchers had been attempting to contact the makers of CloudPets unsuccessfully, and the data breach has been exposed online since at least late last year.  As of this writing though, the toy maker hasn’t responded or addressed the issue.  If your child owns one of these toys, you should probably consider changing your account password and the passwords of any other accounts that may have used the same password (like your bank), and turn the device off until this issue is resolved.

As IoT becomes more commonplace across items in our homes, consumers need to demand better security from the manufacturers.  Breaches like this also demonstrate why it’s not recommended to use the same password across multiple sites, and to use a complex password on every account with which you connect to the internet.  Also make sure to discuss these issues and breaches with your non-technical friends who may not realize the dangers of the toy sitting in their living room.  If you still want a toy that can play messages to your children, there are still Teddy Ruxpin dolls available on EBay that are secure from hacking.

Sources:
https://www.social-engineer.org/general-blog/hello-barbie-the-doll-that-really-listens-2/
https://www.bundesnetzagentur.de/SharedDocs/Pressemitteilungen/EN/2017/17022017_cayla.html
https://www.nytimes.com/2017/02/17/technology/cayla-talking-doll-hackers.html
https://motherboard.vice.com/en_us/article/internet-of-things-teddy-bear-leaked-2-million-parent-and-kids-message-recordings
https://motherboard.vice.com/en_us/article/qkm48b/how-this-internet-of-things-teddy-bear-can-be-remotely-turned-into-a-spy-device

Filed Under: General Social Engineer Blog Like it? Share it!

PREV POSTI Spy With My Little EyePyramid: Siblings Phish Italy
NEXT POSTThe Rise of Machine Learning and Social Engineering Attacks

Trackbacks

  1. Not Your Average (G.I.) Joe – sec.uno says:
    March 2, 2017 at 3:42 pm

    […] Back in 2015 we reported on the possible vulnerabilities in the IoT web-connected Hello Barbie doll, and the possibility of privacy and security breaches from the cloud stored communications of children.  Two weeks ago Germany banned the interactive Cayla doll from stores and issued warnings to parents that had purchased it.  The Cayla doll was Continue Reading > […]

Leave A Reply Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Become a Newsletter Subscriber

Upcoming Events

human hacking conference image

Need S.E. Training?

pro-services

What’s Going On…

  • Human Hacking Conference 2021 Goes Virtual!
  • Ep. 138 – Security With Marcus Sailler of Capital Group
  • Ep. 137 – Human Hacking With Chris Hadnagy

Need a speaker for your event?

Looking for a good book?

The newest book from Chris Hadnagy:

Or any of his older books:

  

Find Posts by Topic

Find Posts by Month

Our Valued Sponsors & Partners

Print EFF
Back To Top Copyright © 2021 Social Engineer, Inc • All Rights Reserved • Site design by Emily White Designs