IoT Teddy Bear Leaked Personal Audio Recordings

CloudPets are an Internet-connected stuffed animals that allow children and parents to send each other voice messages. Last week, we learned that Spiral Toys had such poor security that it exposed 800,000 customer credentials, and two million audio recordings.

As we've seen time and time again in the last couple of years, so-called "smart" devices connected to the internet­ -- what is popularly known as the Internet of Things or IoT­ -- are often left insecure or are easily hackable, and often leak sensitive data. There will be a time when IoT developers and manufacturers learn the lesson and make secure by default devices, but that time hasn't come yet. So if you are a parent who doesn't want your loving messages with your kids leaked online, you might want to buy a good old fashioned teddy bear that doesn't connect to a remote, insecure server.

That's about right. This is me on that issue from 2014.

Posted on March 15, 2017 at 12:14 PM • 13 Comments

Comments

richard shyduroffMarch 15, 2017 12:45 PM

... name suggestion for a future device line: spyral toys ... - rlds ...
.

My InfoMarch 15, 2017 1:07 PM

But, but... think of the children!!!

Think how many cases of child molestation we could prosecute if we had these recordings!

Name (required):March 15, 2017 1:26 PM

Stuff like this, and, well, this (NSFW-ish?) could be exactly what we need to get the "average" person to start taking privacy seriously.

If the people that parrot the "if you've got nothing to hide" line are forced to face the fact that their own very private moments, and their children's private moments, are being made available to third parties, they may rethink their position on "benevolent" surveillance.

TatütataMarch 15, 2017 8:03 PM

<kellyanne>"Just sayin'": Barron must have been offered one of these by Michelle</kellyanne>

ATNMarch 16, 2017 4:34 AM

People think the problem is leaking the conversation in between parents and child, but that is not the way to make hard cash.
Interrested people will have more success by being creative, like deducing that if the teddy bear is not in the house but in a holidays location, you can bulgar the house easily; if teddy bear speaks you can ask the child to phone an expensive phone number to ask for chocolate, ...

Clive RobinsonMarch 16, 2017 6:00 AM

How many years is it since Furbees were baned from secret places?

It feels like it must have been back in the time of the Maggie and Ronny double act back in the 1980's but I suspect it was more likely the Blair and Bush puppy love days.

Whenever it was you would have thought developers atleast would have been taught --assuming they went to uni-- about them along with the early Tamagotchi problem (died if kids did not take to school etc).

I'm guessing even if they were told it went in one ear and was driven out again by the marketing dept trumpeting in the other ear.

For "young developers" out there, just because there is a new "in-tech" it does not mean it's a good idea to just use it without a little reflection on past problems... Because at some point a judge will get around to making people bankrupt, jail birds or both, and you don't want to be the one standing in the spotlight when that is handed down, because "Only following orders" is not a defense, and those that gave the orders will as with bribary cases, deny they even had knowledge let alone gave orders.

albertMarch 16, 2017 1:00 PM

Mad rush to computerize everything, then apologize(and/or blame the bad guys, or(cough) the user) when the sh!t hits the fan. That's the business model for the IoT.

I'm not a fan of regulation (except in a theoretical sense) for many reasons. Chief among them is that the regulators are always controlled by political appointees that are usually meat-puppets of the Ruling Party, and so are as useless as tits on a boar hog. Technical regulations require technical expertise, both in the writing, and the enforcement. Apparently, this needs to be pointed out continuously.

Technical regulations need to be written by non-partisan experts, not Congress-critters. Preferably, a permanent, independent group.

The LE/IC needs to be kept out of it.

We need a new independent agency with draconian enforcement powers to deal specifically with IoT products, and in general, Internet-connected consumer products. Agency heads cannot be appointed. Foreign manufacturers will post bonds and/or pay import duties, even if they claim to meet US regulations. US manufacturers will pay for US certification.


Until such time as there are serious financial and criminal penalties involved, it will be 'business as usual' in the Iot world.

. .. .. --- ....

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.