First there was Hello Barbie, then VTech – now a teddy bear is the latest connected toy to pose serious privacy risks to both parents and children.
Troy Hunt, author of the Have I Been Pwned data breach disclosure site, has revealed in a blog that a toy called CloudPets has fallen victim to a data breach, exposing 2.2 million voice recordings of children and parents and the email addresses and password data for more than 800,000 accounts.
Leaked from a MongoDB database, Hunt tried to look from the persepctive of the parent, saying in the blog:
“[Parents] certainly wouldn’t realise that in CloudPets’ case, that data was stored in a MongoDB that was in a publicly facing network segment without any authentication required and had been indexed by Shodan (a popular search engine for finding connected things).
“Unfortunately, things only went downhill from there. People found the exposed database online. Many people and the worrying thing is, it’s highly unlikely anyone knows quite how many.”
Hunt first found out about the breach week commencing 20 February, after being sent data holding user accounts. Explaining the following verification, Hunt said:
“I started going through my usual verification process to ensure it was legitimate and by pure coincidence, I was in the US running a private security workshop at the time and one of the guys in my class had a CloudPets account. Sure enough, his email address was in the breach and it was time-stamped Christmas day, the day his daughter had been given the toy.”
Following further verification using his student’s CloudPets password, Hunt discovered that CloudPets had left their database exposed publicly to the web without even a password to protect it.
Explaining his disbelief, Zohar Alon, CEO and co-founder at Dome9 Security, said: “Lax security practices that expose the personal data of children and parents to data-jacking are just unconscionable.”
“Customers of public cloud services such as Amazon Web Services and Microsoft Azure have cutting-edge tools at their disposal to manage security in their environments, including identity and access management, network security and application firewalls. But the best tools can’t save customers from irresponsible behavior. The agility and ease of use of the public cloud make it just as easy to build new apps that don’t take security into account.”
The individual who passed Hunt the data tried to alert CloudPets no less than three times, warning the organisation of a serious security vulnerability. Reportedly, he did not receive a single response. However, this has been denied by Spiral Toys, makers of CloudPets. Responding to a comment request by Michael Kan, the company issued a denial:
“The headlines that say 2 million messages were leaked on the internet are completely false,” said Mark Myers, CEO of the company.
“Were voice recordings stolen? Absolutely not. We looked at it and thought it was a very minimal issue.”
However, further investigations by Hunt reveal that perhaps it was not such a minimal leak as the CEO suggests.
Further investigation revealed that, similar to other incidents with MongoDB, ransoms were being demanded for the leaked data. Hunt’s friend Niall Merrigan, who had previously worked on exposed MongoDBs, was enlisted to find out about the extent of CloudPet’s exposure. Using Shodan’s API, Merrigan discovered a pattern which indicated ransoms being demanded of the leaked data.
“Whilst Shodan doesn’t index the contents of exposed databases it finds, it’s a safe bet that the exposed CloudPets one contained the same message as so many other compromised ones with the same name did. The analysis that Niall was doing at the time showed that at this stage, the two original CloudPets databases had been deleted which is what you’d expect when a ransom is being demanded,” wrote Hunt.
The situation then got worse, with Merrigan and Hunt finding that there were “many malicious parties taking action against exposed databases during this period and we frequently saw the same system accessed multiple times by different actors, each demanding their own ransom. It wasn’t until Jan 13 that Shodan reported no publicly accessible databases remained on CloudPets’ IP Address.
MongoDB databases have been plagued by ransomware attacks recently, with the first wave of attacks surfacing in January 2017. The first reported attacks wreaked havoc on a reported half of internet-facing MongoDB databases. Hackers looked for MongoDB installations on the internet and targeted those without a set administrator password. The hackers then took control of these unsecure accounts, deleted data and demanded a ransom for the return of said data.
Obviously finding a lucrative goldmine in the instances, the hackers then turned their ransomware attentions towards Hadoop and ElasticSearch. At the end of January, Rapid& led an investigation which found that nearly 30,000 MongoDB servers were held captive in ransomware attacks.
READ MORE: Nearly 30,000 MongoDB servers held captive in ransomware attacks – and ElasticSearch is just as bad
“The core reason why attackers are targeting devops-ish technologies is that most of these servers have a default configurations which have tended to be wide open (i.e. they listen on all IP addresses and have no authentication) to facilitate easy experimentation exploration,” said Rapid7’s Bob Rudis.
“Said configuration means you can give a new technology a test on your local workstation to see if you like the features or API but it also means that — if you’re not careful — you’ll be exposing real data to the world if you deploy them the same way on the internet.”