Lack of security in smart toys is becoming a problem
Cloudpets sound like a cool idea. Use a teddy bear as a microphone and speaker to allow children to communicate with loved ones. It’s such a great idea that over 800,000 of the stuffed animals have been sold. How do we know this? Because the company has no clue how to do security.
A maker of Internet-connected stuffed animal toys has exposed more than 2 million voice recordings of children and parents, as well as e-mail addresses and password data for more than 800,000 accounts.
…
The toys record and play voice messages that can be sent over the Internet by parents and children. The MongoDB database of 821,296 account records was stored by a Romanian company called mReady, which Spiral Toys appears to have contracted with.
Source: Creepy IoT teddy bear leaks >2 million parents’ and kids’ voice messages | Ars Technica
The database was completely open on the internet, and could be accessed without a password. What’s worse is that the recordings were stored on Amazon storage, again without a password. This means the attacker had full access to everything.
Security is hard to do, but apparently, Cloudpets thought that using a password was too hard.