Has a nice write-up, but also an annoying popup…
Internet-Connected Teddy Bear Leaks Millions Of Voice Messages and Password
Monday, February 27, 2017 Swati Khandelwal
Every parent should think twice before handing out Internet-connected toys or smart toys to their children, as these creepy toys pose a different sort of danger: privacy and data security risks for kids who play with them.
This same incident was happened over a year ago when Hong Kong toymaker VTech was hacked, which exposed personal details, including snaps of parents and children and chat logs, of about 6.4 million children around the world.
Now, in the latest security failing of the internet-connected smart toys, more than 2 Million voice recordings of children and their parents have been exposed, along with email addresses and passwords for over 820,000 user accounts.
If it doesn’t require an internet connection to function, do not connect it to the internet.
Only connect to the internet when you need some service from it.
Do not, ever, leave anything persistently connected to the internet other than your router TO the internet. (Even that is something I’m considering periodically shutting down. If it were under my control with my backup and configuration I would already turn it off when not in use.) Yes, even a doll or teddy bear.
Trusting a 3rd party to secure any data is always a risk. Do not depend on it.
Cloudpets’ Data was Held for Ransom
The customer data was left unprotected from 25 December 2016 to 8 January in a publicly available database that wasn’t protected by any password or a firewall, according to a blog post published Monday by Troy Hunt, creator of the breach-notification website Have I Been Pwned?.
Hunt said that the exposed data was accessed multiple times by many third parties, including hackers who accessed and stole customer emails and hashed passwords from a CloudPets database.
In fact, in early January, when cyber criminals were actively scanning the Internet for exposed or badly-configured MongoDB databases to delete their data and ultimately hold it for ransom, CloudPets’ database was overwritten twice.
Toy Maker was Notified of the Breach Multiple Times
The worst part comes in when any company is notified of some issue, but it doesn’t give a shit to protect its customers. Spiral Toys did the same.
The toy maker was allegedly notified four times that its customer data was online and available for anyone to have their hands on — yet the data remained up for almost a week with evidence suggesting that the data was stolen on multiple occasions.
Interestingly, the CloudPets blog hasn’t been updated since 2015, and there is not any public notice about the security concerns.
While voice recordings were not kept on the open MongoDB databases, Spiral Toys used an open Amazon-hosted service that required no authorization to store the recordings, user profile pictures, children’s names, and their relations to parents, relatives, and friends.
This eventually means that anyone with malicious intent could listen to the recordings by only guessing the correct URL.
Amazon again… and a zero security system. Oh Joy… /sarc;
The good bit is that it looks like they at least had it all encrypted, so it was mostly a ransomware attack on the company.
It seems that between Christmas and until the first week of January, the company behind CloudPets, Spiral Toys, left customer data on a database that wasn’t protected by a firewall or a password. Search engine Shodan, often used to find unprotected websites and servers, was put to use to find the MongoDB where all the CloudPets data was stored.
Shodan, eh? Hmmm…. so “there’s a search engine for that!”…
So what was exposed? Well, more than 800,000 emails and passwords. Thankfully, they were secured with bcrypt, a hashing function that’s stronger and harder to crack than others more frequently used. Troy Hunt, security researcher behind Have I Been Pwned, analyzed the CloudPets data and claims that a large number of those passwords were so weak they might have been cracked.
In the weeks the data was exposed, two security researchers, as well as malicious hackers, got their hands on the information. It seems that several cybercriminals got their hands on the database and held it for ransom, as the CloudPets’ data was overwritten twice.
IoT devices, as a whole, have serious security problems and have been hacked countless times. These connected toys, however, bring the added risk of putting your child in danger, on top of your privacy.
Just recently, Germany banned Cayla dolls due to security problems and for fear that the Internet connection used by the doll to return answers to kids’ questions could easily be hacked. The toys have since been removed from stores.
“Such incidents are very frustrating, as it’s just a tip of the IoT iceberg. Too many companies, unfamiliar with the basic principles of information security, have entered into the IoT manufacturing business, putting data and privacy of their customers at critical risk,” Ilia Kolochenko, CEO of web security firm High-Tech Bridge, told Softpedia.
“Regulatory requirements and compliance with law are also commonly ignored and neglected by the IoT manufactures. For example, did the parents give an explicit authorization to store their voices? For which period of time? Can parents request the removal of their data and voices from the database? Will it be unrecoverably removed? Enforcement of GDPR regulation should motivate IoT vendors to give clear and reasonable answers to these and similar questions,” Kolochenko added.
And that, boys and girls, is why I call them the I[di]OT devices and not just IOT…
Shodan is a search engine that lets the user find specific types of computers (web cams, routers, servers, etc.) connected to the internet using a variety of filters. Some have also described it as a search engine of service banners, which are meta-data the server sends back to the client. This can be information about the server software, what options the service supports, a welcome message or anything else that the client can find out before interacting with the server.
Shodan collects data mostly on web servers (HTTP/HTTPS – port 80, 8080, 443, 8443), as well as FTP (port 21), SSH (port 22), Telnet (port 23), SNMP (port 161), SIP (port 5060), and Real Time Streaming Protocol (RTSP, port 554). The latter can be used to access webcams and their video stream.
It was launched in 2009 by computer programmer John Matherly, who, in 2003, conceived the idea of searching devices linked to the Internet. The name Shodan is a reference to SHODAN, a character from the System Shock video game series.
Well, isn’t that handy. I note the use of the word “mostly” with reference to ports scanned. That, BTW, is why for some things folks will reroute their services over “non-standard ports”. It is “security by obscurity” but does reduce how many folks notice an opening. Were I to set up my own VPN server at home, I’d put it on a very odd port.
This is also why FTP and Web servers MUST be locked down very tightly. Why I like to do things like get the service up and running, then proceed to strip out every bit of tools, utilities and applications that are not essential to making it go. Ideally you just want the kernel, limited device drivers, and the application itself. (Another reason why I’m not fond of SystemD… how do you strip out things you don’t need when it is all in one block of obscure code?…) IF someone manages to hack in, they find scorched earth and no support systems / tools. They must import all their warez and tools and that takes time and shows up on IDS systems. Ideally, the whole OS and Application space is on read only media too, so at most a reboot clears it.
So, from 2013… I’m only 4 years late to this party. Sigh. Then again, having zero I[di]OT things I’ve not been motivated to “keep up”…
Shodan: The scariest search engine on the Internet
by David Goldman @DavidGoldmanCNN April 8, 2013: 1:41 PM ET
“When people don’t see stuff on Google, they think no one can find it. That’s not true.”
That’s according to John Matherly, creator of Shodan, the scariest search engine on the Internet.
Unlike Google (GOOG), which crawls the Web looking for websites, Shodan navigates the Internet’s back channels. It’s a kind of “dark” Google, looking for the servers, webcams, printers, routers and all the other stuff that is connected to and makes up the Internet. (Shodan’s site was slow to load Monday following the publication of this story.)
Shodan runs 24/7 and collects information on about 500 million connected devices and services each month.
Gee… 1/2 Billion targets. Think 100% of them are locked down tight? …
It’s stunning what can be found with a simple search on Shodan. Countless traffic lights, security cameras, home automation devices and heating systems are connected to the Internet and easy to spot.
Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan.
What’s really noteworthy about Shodan’s ability to find all of this — and what makes Shodan so scary — is that very few of those devices have any kind of security built into them.
“It’s a massive security failure,” said HD Moore, chief security officer of Rapid 7, who operates a private version of a Shodan-like database for his own research purposes.
I remind folks that the hack of Target was initiated through the HVAC connection… Look, I know you don’t like to drive in on a Saturday when someone complains about the A/C, but I ran facilities before. I know.
Every Monday Morning I would walk the building and set the thermostats back to the neutral position. Took about 10 minutes and I got to inspect the place while I was at it. ( 3 stories, 120,000 sq.ft.) First time I did this nearly all were askew. Then about every Thursday in the evening I’d do another “check up” pass to find where someone thought putting it at 90 F would turn off the A/C (and instead caused more AC in their block and heat in the one next over…) and set them back to neutral. After a few weeks of this folks stopped fiddling with them as the environmentals were nice and relatively stable. No internet required. No exposure of my company to a backdoor hack. IFF you really MUST have your Heat / AC connected to the internet, do NOT connect it to your company network too. Have a place you can “jack in” a laptop if you need computer access to it on campus, but leave that plug empty until needed and NOT bridged to your corporate network. Not even a modem. Not anything.
People call me paranoid when I talk like that. I like to point out I’m not paranoid, just observant and clueful. Spend 20 or 30 years dodging whacks with the Clue Stick and you gain clue without the bruises.
OK, enough of that… I’m going back to what I was working on before this hit the news on RT…