Fuzzy Bear Hacks – Another I[di]OT Issue

Has a nice write-up, but also an annoying popup…


Internet-Connected Teddy Bear Leaks Millions Of Voice Messages and Password
Monday, February 27, 2017 Swati Khandelwal

Every parent should think twice before handing out Internet-connected toys or smart toys to their children, as these creepy toys pose a different sort of danger: privacy and data security risks for kids who play with them.

This same incident was happened over a year ago when Hong Kong toymaker VTech was hacked, which exposed personal details, including snaps of parents and children and chat logs, of about 6.4 million children around the world.

Now, in the latest security failing of the internet-connected smart toys, more than 2 Million voice recordings of children and their parents have been exposed, along with email addresses and passwords for over 820,000 user accounts.

If it doesn’t require an internet connection to function, do not connect it to the internet.

Only connect to the internet when you need some service from it.

Do not, ever, leave anything persistently connected to the internet other than your router TO the internet. (Even that is something I’m considering periodically shutting down. If it were under my control with my backup and configuration I would already turn it off when not in use.) Yes, even a doll or teddy bear.

Trusting a 3rd party to secure any data is always a risk. Do not depend on it.

Cloudpets’ Data was Held for Ransom

The customer data was left unprotected from 25 December 2016 to 8 January in a publicly available database that wasn’t protected by any password or a firewall, according to a blog post published Monday by Troy Hunt, creator of the breach-notification website Have I Been Pwned?.

Hunt said that the exposed data was accessed multiple times by many third parties, including hackers who accessed and stole customer emails and hashed passwords from a CloudPets database.
In fact, in early January, when cyber criminals were actively scanning the Internet for exposed or badly-configured MongoDB databases to delete their data and ultimately hold it for ransom, CloudPets’ database was overwritten twice.

Toy Maker was Notified of the Breach Multiple Times

The worst part comes in when any company is notified of some issue, but it doesn’t give a shit to protect its customers. Spiral Toys did the same.

The toy maker was allegedly notified four times that its customer data was online and available for anyone to have their hands on — yet the data remained up for almost a week with evidence suggesting that the data was stolen on multiple occasions.

Interestingly, the CloudPets blog hasn’t been updated since 2015, and there is not any public notice about the security concerns.
While voice recordings were not kept on the open MongoDB databases, Spiral Toys used an open Amazon-hosted service that required no authorization to store the recordings, user profile pictures, children’s names, and their relations to parents, relatives, and friends.

This eventually means that anyone with malicious intent could listen to the recordings by only guessing the correct URL.

Amazon again… and a zero security system. Oh Joy… /sarc;

The good bit is that it looks like they at least had it all encrypted, so it was mostly a ransomware attack on the company.


It seems that between Christmas and until the first week of January, the company behind CloudPets, Spiral Toys, left customer data on a database that wasn’t protected by a firewall or a password. Search engine Shodan, often used to find unprotected websites and servers, was put to use to find the MongoDB where all the CloudPets data was stored.

Shodan, eh? Hmmm…. so “there’s a search engine for that!”…

So what was exposed? Well, more than 800,000 emails and passwords. Thankfully, they were secured with bcrypt, a hashing function that’s stronger and harder to crack than others more frequently used. Troy Hunt, security researcher behind Have I Been Pwned, analyzed the CloudPets data and claims that a large number of those passwords were so weak they might have been cracked.

In the weeks the data was exposed, two security researchers, as well as malicious hackers, got their hands on the information. It seems that several cybercriminals got their hands on the database and held it for ransom, as the CloudPets’ data was overwritten twice.
IoT devices, as a whole, have serious security problems and have been hacked countless times.
These connected toys, however, bring the added risk of putting your child in danger, on top of your privacy.

Just recently, Germany banned Cayla dolls due to security problems and for fear that the Internet connection used by the doll to return answers to kids’ questions could easily be hacked. The toys have since been removed from stores.

“Such incidents are very frustrating, as it’s just a tip of the IoT iceberg. Too many companies, unfamiliar with the basic principles of information security, have entered into the IoT manufacturing business,
putting data and privacy of their customers at critical risk,” Ilia Kolochenko, CEO of web security firm High-Tech Bridge, told Softpedia.

“Regulatory requirements and compliance with law are also commonly ignored and neglected by the IoT manufactures.
For example, did the parents give an explicit authorization to store their voices? For which period of time? Can parents request the removal of their data and voices from the database? Will it be unrecoverably removed? Enforcement of GDPR regulation should motivate IoT vendors to give clear and reasonable answers to these and similar questions,” Kolochenko added.

And that, boys and girls, is why I call them the I[di]OT devices and not just IOT…


Shodan is a search engine that lets the user find specific types of computers (web cams, routers, servers, etc.) connected to the internet using a variety of filters.
Some have also described it as a search engine of service banners, which are meta-data the server sends back to the client. This can be information about the server software, what options the service supports, a welcome message or anything else that the client can find out before interacting with the server.

Shodan collects data mostly on web servers (HTTP/HTTPS – port 80, 8080, 443, 8443), as well as FTP (port 21), SSH (port 22), Telnet (port 23), SNMP (port 161), SIP (port 5060), and Real Time Streaming Protocol (RTSP, port 554). The latter can be used to access webcams and their video stream.

It was launched in 2009 by computer programmer John Matherly, who, in 2003, conceived the idea of searching devices linked to the Internet. The name Shodan is a reference to SHODAN, a character from the System Shock video game series.

Well, isn’t that handy. I note the use of the word “mostly” with reference to ports scanned. That, BTW, is why for some things folks will reroute their services over “non-standard ports”. It is “security by obscurity” but does reduce how many folks notice an opening. Were I to set up my own VPN server at home, I’d put it on a very odd port.

This is also why FTP and Web servers MUST be locked down very tightly. Why I like to do things like get the service up and running, then proceed to strip out every bit of tools, utilities and applications that are not essential to making it go. Ideally you just want the kernel, limited device drivers, and the application itself. (Another reason why I’m not fond of SystemD… how do you strip out things you don’t need when it is all in one block of obscure code?…) IF someone manages to hack in, they find scorched earth and no support systems / tools. They must import all their warez and tools and that takes time and shows up on IDS systems. Ideally, the whole OS and Application space is on read only media too, so at most a reboot clears it.


So, from 2013… I’m only 4 years late to this party. Sigh. Then again, having zero I[di]OT things I’ve not been motivated to “keep up”…

Shodan: The scariest search engine on the Internet
by David Goldman @DavidGoldmanCNN April 8, 2013: 1:41 PM ET

“When people don’t see stuff on Google, they think no one can find it. That’s not true.”

That’s according to John Matherly, creator of Shodan, the scariest search engine on the Internet.

Unlike Google (GOOG), which crawls the Web looking for websites, Shodan navigates the Internet’s back channels. It’s a kind of “dark” Google, looking for the servers, webcams, printers, routers and all the other stuff that is connected to and makes up the Internet. (Shodan’s site was slow to load Monday following the publication of this story.)

Shodan runs 24/7 and collects information on about 500 million connected devices and services each month.

Gee… 1/2 Billion targets. Think 100% of them are locked down tight? …

It’s stunning what can be found with a simple search on Shodan. Countless traffic lights, security cameras, home automation devices and heating systems are connected to the Internet and easy to spot.

Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan.

What’s really noteworthy about Shodan’s ability to find all of this — and what makes Shodan so scary — is that very few of those devices have any kind of security built into them.

“It’s a massive security failure,” said HD Moore, chief security officer of Rapid 7, who operates a private version of a Shodan-like database for his own research purposes.

I remind folks that the hack of Target was initiated through the HVAC connection… Look, I know you don’t like to drive in on a Saturday when someone complains about the A/C, but I ran facilities before. I know.

Every Monday Morning I would walk the building and set the thermostats back to the neutral position. Took about 10 minutes and I got to inspect the place while I was at it. ( 3 stories, 120,000 sq.ft.) First time I did this nearly all were askew. Then about every Thursday in the evening I’d do another “check up” pass to find where someone thought putting it at 90 F would turn off the A/C (and instead caused more AC in their block and heat in the one next over…) and set them back to neutral. After a few weeks of this folks stopped fiddling with them as the environmentals were nice and relatively stable. No internet required. No exposure of my company to a backdoor hack. IFF you really MUST have your Heat / AC connected to the internet, do NOT connect it to your company network too. Have a place you can “jack in” a laptop if you need computer access to it on campus, but leave that plug empty until needed and NOT bridged to your corporate network. Not even a modem. Not anything.

People call me paranoid when I talk like that. I like to point out I’m not paranoid, just observant and clueful. Spend 20 or 30 years dodging whacks with the Clue Stick and you gain clue without the bruises.

OK, enough of that… I’m going back to what I was working on before this hit the news on RT…

Subscribe to feed

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Tech Bits and tagged , , , , . Bookmark the permalink.

23 Responses to Fuzzy Bear Hacks – Another I[di]OT Issue

  1. M Simon says:

    It is worse than that. The “Smart Grid” is another stupid idea. The grid controls and or various parts of it are being hooked up to the ‘net.

    Bad enough they can steal your data. Worse is they can control your appliances. I have been writing about it.




  2. E.M.Smith says:

    Why I’ve re-started my home UPS project (one room already on batteries / isolation ) and as this becomes more pervasive will be putting all sorts of interesting barriers between the power lines and anything with a computer in it…

    Oh, and stabilizing my own electricity against outages, of which there will be an exponentially increasing number…

    Have a nice kW-hr scale battery on the charger now. Going to “do” the living room cluster next. It ought to run the LR for about 3 to 4 hours at full use.

    With the office and living room done, it’s just bedroom lighting and the kitchen / washer-dryer set. For the bedrooms we can just use our regular fuel driven lighting if needed. As the appliances are all old and dumb, not too worried. I’m also happy to not do the dishes or wash clothes if the power is “out”, and can cook just fine on any collection of my dozen+ camping stoves. That just leaves the fridge and the Honda Generator runs it fine if needed.

    IFF in the future it is impossible to continue buying dumb appliances, I’ll put isolation between them and the line power. (Car charger, battery box, inverter). If they “go wireless” well, I have nippers and antennas are small… worst case is some lead foil. Well, really worst case is my 12,000 volt neon sign transformer ;-)

    Yeah, the “smart grid” is a really stupid idea. But it is easy to keep it out of my life.

  3. Larry Ledwick says:

    Tesla coils work nicely as white noise generators in the RF spectrum too!

    Some geeks set one up at a display at a local hotel back in the early 1990’s. Unfortunately that hotel was a little over 1/4 mile from the local FCC office and the FEMA region 8 facility on the Denver Federal Center.

    ( they have a really really nice log periodic antenna about 100 ft long on one of their towers which they won’t answer questions about what it is used for. I did one time trace some 4 character group transmissions to their antenna farm and when I asked someone at FEMA about them I got “that look”.

    Ooops oh sorry never happened.)

    Anyway the FCC went down to the hotel and gave them about 30 seconds to shut down their Tesla Coil display or they were going to start cutting cables and confiscating equipment.

    It was not a shut down request it was a “You will shut that down NOW!” situation.

  4. Larry Ledwick says:

    And then you have to look at the rapidly developing AI capabilities and where that goes and who manages to make major breakthroughs.


    Not saying Skynet or the Replicators of recent scifi but it could be as big a change in military operations as the advent of flight and the change will probably happen even faster.

    (Only 36 years elapsed between the first flight at Kitty Hawk and the first operational Jet aircraft the Heinkel He 178 )

  5. E.M.Smith says:

    My neon sign transformer is 1950s old school… Makes a nice Jacob’s Ladder about 2 foot tall and arcs about 5 inches, more if the coathanger wires are salt water coated at startup 8-)

    Just don’t run it for too long at any one time….

    When about 11? I had fun with it a lot… also made a broad spectrum RF amplifier (Tube… about 20 W?) for my walky talky and ran it into the 50 foot tall TV antenna leads… (acting as a long wire vertical with top hat). Heard complaints on the receiver from someone far far away… (W.WII army surplus tube SW). Ah, the days 8-)

    Lucky for me, being 70 miles from anything resembling “government”, by the time they woke up, I was in bed… and a vector “up valley” pointed at everyone…

  6. M Simon says:

    Tesla coils. Sign transformers, 20KV TV HV capacitors. Flyback HV power supplies.. I even had a Hammerlund Super Pro rcvr at one time. Kid stuff. Then I joined the Navy and played with it some more. Then worked on microprocessing a Navy radio for a contractor. That was back in the very late 70s early 80s. I was a kid for a very long time. I may still be.

  7. M Simon says:

    Larry Ledwick says:
    2 March 2017 at 12:37 am

    Where it gets interesting is robot armies vs robot armies. What is victory? What does victory mean? What advantage do humans get? What are we fighting for?

    Asimov’s 3 Laws?

  8. p.g.sharrow says:

    @M Simon; you would be delighted to play with some of my toys!
    Included is a flat spiral Tesla Coil of very high “Q” of 14 gauge secondary that can stress up to 4,000,000 volts. As it terminates in an enclosed center pincushion plasma jet it produces a fountain of plasma rather then a lightning bolt.
    My father, a one time Navy Electrician, set me to house wiring when I was 7. By the time I was 20 I was Electrician’s mate 3rd class. Kind of interesting to play with the foundation of the Universe…pg

  9. philjourdan says:

    I know about the IOT, and I have some IOT devices. But they are rarely connected to the Internet. What I had not thought about (probably because they have not come to this area yet) is the Smart grid. Should that happen, I will get a WH Generator that conditions the power as well as provides backup. They have gotten a lot cheaper (relatively speaking), and will block the “smart” from seeing into the house.

  10. E.M.Smith says:

    WH Whole House?

    I’ve thought of getting one. As electricity prices rise to crazy levels in California, it is sporadically economical to make your own electricity from natural gas…

  11. kneel63 says:

    The question isn’t “Am I being paranoid?”, it’s “Am I being paranoid enough?”
    With several billion people having internet access, leave anything with factory or weak passwords on the net, and it WILL get at least a hit, if not hacked.

    My favoured passwords are always the first letter of every word in a phrase – not many people can understand how I can remember stuff like “p?htfwik!”, when it’s simply “password? how the fudge would I know!” (no, I don’t use that one, or that exact f-word, but you get the idea)

    And smart meters may be worse than you think – not only are electricity distributors selling bandwidth to third parties (do you trust them to have appropriate systems in place to prevent source address spoofing and other bleedthroughs?), but even if the meters lived on secure private networks (they don’t), do you believe the meters would be secure enough to prevent a black-hat gaining access to that network?

    There are good reasons why military folks always want a human in a critical part of their systems and it ain’t job security!

  12. philjourdan says:

    Ooops! Yes – WH = Whole House. I have a portable now and it is enough for the brief outages we have (runs everything except AC and Dryer). But I will not succumb to “smart meters”.

  13. Jeff says:

    xkcd has a good comment on passwords (as the usual advice from ISPs and vendors is not really that good). Having spent many a year discouraging “ABCDE” and “12345” as well as the ubiquitous yellow stickies, it was great to find xkcd’s take on this:

  14. Lars P. says:

    kneel63 says:
    3 March 2017 at 9:05 am

    The question isn’t “Am I being paranoid?”, it’s “Am I being paranoid enough?”
    With several billion people having internet access, leave anything with factory or weak passwords on the net, and it WILL get at least a hit, if not hacked.

    My favoured passwords are always the first letter of every word in a phrase – not many people can understand how I can remember stuff like “p?htfwik!”, when it’s simply “password? how the fudge would I know!”

    Wouldn’t “password? how the fudge would I know!” be an even better password?

  15. E.M.Smith says:


    Yes. With modern fast decrypt engines, length matters more than obscurity. Those in the know now talk of passphrase instead of password.

  16. Larry Ledwick says:

    Not sure where to put this so sticking it here since it is security related to Internet apps.
    Apparently this app from google can accidentally divulge previous search results.

  17. E.M.Smith says:

    And people wonder why I don’t use Google for web searches…

  18. philjourdan says:

    And people wonder why I don’t use Google for web searches…

    Because it sucks unless you want the PC line. It does give all results, but makes sure the other side is buried deep.

    I prefer Duck-Duck-Go.

  19. jim2 says:

    I don’t have a google account. Crap like this and worse is why.

  20. Larry Ledwick says:

    And now we have a major cell phone tracking operation detected in the Washington DC area — the question is who and why?


  21. Pingback: Classical Values » Spieder

  22. E.M.Smith says:



Comments are closed.