'Smart' Toy Database Exposes Child Voice Recordings

John Lister's picture

Voice messages from parents to children through a 'smart' cuddly toy could be compromised. The security risk is a combination of a flaw by the designers and poor security practices by users.

The issue involves CloudPets, a range of $40 toys designed to help working parents stay in touch with their kids. The parent can leave a voice message via a phone app at any time and it will then be sent over the Internet and Bluetooth and played back through a speaker in the toy. The child can then press the toy's paw to record and send a reply.

The problem is that while delivering messages via a toy rather than a phone call is much cuter, the voice recordings are stored online. If they were properly protected, that wouldn't be a problem, but that doesn't seem to be the case.

Recordings Easy To Access

Security researcher Troy Hunt says that in a proper set-up, nobody would be able to find the location of the files online. However, the company behind CloudPets maintains a database that connects the toys and the apps to the recordings.

That database turns out to be accessible online and doesn't have any password protection or encryption; anyone who finds this database can go straight to the recordings. Hunt was able to easily access recordings made by children along with their profile photos. He estimated that 820,000 accounts were covered by the database. (Source: bbc.co.uk)

One Letter Passwords Allowed

To make things worse, the password requirements for the service are extremely lax, meaning even people who hadn't found the database would have a good shot of gaining access to many accounts anyway. A "how to" video by the company shows a user selecting the password "qwe" and it's even possible to choose a single letter as a password.

Hunt tried out some of the most obvious passwords and calculated that thousands of people had simply used "qwe" as a password, while "cloudpets" was also a predictably popular choice. (Source: troyhunt.com)

It also appears cybercriminals may have tried to hold up the company for ransom, threatening to exploit the security flaws. That raises questions about why the company didn't tell customers their data may have been at risk.

What's Your Opinion?

Is it the company's fault that customers were allowed to choose weak passwords? Should the customers take ultimate responsibility for their password choice? Should there be tighter data protection laws for companies that handle information relating to children?

Rate this article: 
Average: 4.8 (4 votes)


Kalisun's picture

Just being able to find the database online is bad already..but to be able to access it WITHOUT a password is just ridiculous!! How can that not be a incident waiting to happen? Just because it's a child toy isn't a problem, the problem stems from having private and very personal conversations on that "toy". To me that's not a toy anymore it becomes a recording device that is connected to the internet! on a unsecured database! They should also have a minimum amount of at least 8 characters for the user password, letting them use 1 character for a password is like not having a password or having a database access without a password! Oh wait..that's what they have..

ecash's picture

Who remembers the beginning of the net with BROWSERS..
we are not talking about Text based site here.
we are talking about sites that were designed to Work like PROGRAMMING..and encompass Multiple formats..(5-7 on any page)
How much fun was this?? Not very.
How much protection DID we pay for to PROTECT OURSELVES?
Av, Firewalls, Script protections, and a few others..
HOW easy was it to KEEP IT CLEAN?? not easy.
EVEN MSN was BAD..for 3rd party adverts that installed a TON of crap on your machine.(I received 5 virus on a clean install)
THIS site is naked compared to 99% of them..Go check MAKE.COM and how many Scripts that WANT you to allow.
How many MAJOR corps have been raided, for not having BASIC protections..(I mean a PERSON in the middle, a sysop/admin/something)

How many of these corps are Living in a BOX?? NOT paying attention?
How many SERVER groups are being @#$@%#$% STUPID??

1. WHy use a 3rd party?, a device connected to you Modem Could do all the work..
2. WHy are they STORING DATA? SEND and ERASE IT..
3. it MUSt have an active connection to use BT to send the info to the doll/toy..Or the computer is ALWAYS ON..(back to #1)
Just use a Primary or Make a second email account that would send the data to..
4. WHy does everyone wish to use 3rd party? when you can send directly to the device..WHy use a DOLL/TOY when your kid PROBABLY has a phone..