'Smart' Toy Database Exposes Child Voice Recordings
Voice messages from parents to children through a 'smart' cuddly toy could be compromised. The security risk is a combination of a flaw by the designers and poor security practices by users.
The issue involves CloudPets, a range of $40 toys designed to help working parents stay in touch with their kids. The parent can leave a voice message via a phone app at any time and it will then be sent over the Internet and Bluetooth and played back through a speaker in the toy. The child can then press the toy's paw to record and send a reply.
The problem is that while delivering messages via a toy rather than a phone call is much cuter, the voice recordings are stored online. If they were properly protected, that wouldn't be a problem, but that doesn't seem to be the case.
Recordings Easy To Access
Security researcher Troy Hunt says that in a proper set-up, nobody would be able to find the location of the files online. However, the company behind CloudPets maintains a database that connects the toys and the apps to the recordings.
That database turns out to be accessible online and doesn't have any password protection or encryption; anyone who finds this database can go straight to the recordings. Hunt was able to easily access recordings made by children along with their profile photos. He estimated that 820,000 accounts were covered by the database. (Source: bbc.co.uk)
One Letter Passwords Allowed
To make things worse, the password requirements for the service are extremely lax, meaning even people who hadn't found the database would have a good shot of gaining access to many accounts anyway. A "how to" video by the company shows a user selecting the password "qwe" and it's even possible to choose a single letter as a password.
Hunt tried out some of the most obvious passwords and calculated that thousands of people had simply used "qwe" as a password, while "cloudpets" was also a predictably popular choice. (Source: troyhunt.com)
It also appears cybercriminals may have tried to hold up the company for ransom, threatening to exploit the security flaws. That raises questions about why the company didn't tell customers their data may have been at risk.
What's Your Opinion?
Is it the company's fault that customers were allowed to choose weak passwords? Should the customers take ultimate responsibility for their password choice? Should there be tighter data protection laws for companies that handle information relating to children?
Infopackets Top Windows 10 FAQs
How to Upgrade from Windows 10 32-bit to 64-bit
How to Fix: Windows 10 Antivirus Missing, Not Compatible
How to Fix: Windows 10 Display Shifted; Screen Fuzzy
How to Upgrade Windows 7, 8 32-bit to Windows 10 64-bit
to Downgrade from Windows 10
- How to Fix: Windows 10 Upgrade Failed Error C1900208
- How to Fix: Windows 10 Upgrade Failed Error 80240020
- Can I Cancel my Windows 10 Reservation and Reserve Later?
- How to Clean Install Windows 10 using Windows 7, 8 License
- Will Windows 10 Install Automatically?
- Windows 10 Upgrade: Do I have to Reinstall Programs?
- Windows 10 Upgrade: Can I choose 32-bit or 64-bit?
- Which Version of Windows 10 Will I Get (Home or Pro)?
- How to Reserve Windows 10 Upgrade (Free)
- How to Fix: CPU Not Compatible with Windows 10 Error
- Windows 10 Upgrade: Can I keep my Old Windows Install?
- How to Cancel Windows 10 Reservation (Properly)
- Download Windows 10 .ISO (DVD) for Clean Install?
- Microsoft: Windows 10 Will Be The Last Version
- Does Windows 10 require the CPU to support PAE?
- Windows 10: Can I Upgrade or do I need a Clean Install?
Click here for more Windows 10 articles.