IoT teddy bear CloudPets had a database breach leaking 820k+ account details
#1
[Image: messaging-ani-bear.png]
This was reported about 2 weeks ago (Feb. 28) but I just came across it while looking at some Vault 7 news coverage.

Web security expert Troy Hunt (who runs HaveIBeenPwned) has an excellent writeup on the entire episode. You can also find a less detail-heavy article about this on Motherboard Vice.

The CloudPets' teddy bear is connected to the internet to allow parents and children to record and send each other audio messages when they're far apart. You can watch CloudPets' promotional video to see how it works.

What happened is that on Dec 30 or 31st, someone found out that they can access CloudPets' MongoDB database without any authentication. The database contains users' email and bcrypt-hashed password. Even though the passwords were hashed, CloudPets didn't impose any password rules (e.g. minimum length, numbers, uppercase letters) on their users which meant that a lot of the passwords were very weak, as Hunt verified when he tested with hashcat. In fact in their own video tutorial, the password used was "qwe". Once you have an account's password, you can then access pictures and audio recordings for that account via CloudPets' app.

The researchers/journalists tracking this breach also noted 3 separate incidents on Jan 7 and 8 where the original databases were deleted and a ransom demand was made.

To make things worse, numerous attempts were made to contact the company behind CloudPets, Spiral Toys,  since Dec 30th last year via their support email, email listed on their WHOIS record, the email of their hosting provider Linode among other channels but there was no response from Spiral Toys  up until recently (Feb 27). In any case, there were no more publicly accessible database after Jan 13 on that IP address.

Troy Hunt's article linked above has a point-by-point rebuttal of inaccuracies in Spiral Toys' response (it's under the headings "Updates I" and "Updates 2").

From what I read, the company has also not informed users about the breach in this two months since it has been discovered. One thing I don't really understand is why are news report about this data breach only published 2 weeks ago even though the breach itself took place more than 2 months ago.

If this is not bad enough, there has also been another recent revelation that anyone with a smartphone within 10m (or further if you use directional antennas) can connect to CloudPets toys via Bluetooth and send or receive command/data e.g. sending terrifying audio recordings to the toys. The security researcher who disclosed this, Paul Stone, said that this is possible because the toys don't use Bluetooth security features like pairing which would allow for authentication/encryption. Technical details of this disclosure can be found on Stone's blog post. The code he used for hacking the toy is hosted on Github.

Something similar happened back in Nov. 2015: the database of a HK-based kid's gadget company VTech was hacked using SQL injection and leaked details of 4.8+ mil accounts. The database included private information like name, address, ip, and even children's headshots and chat logs. Links: Vice Motherboard's coverage part 1 and part 2, Troy Hunt's writeup, and VTech's press release.
#2
Oh look, another company making an IoT device with no thoughts for security. Lemme just file this under "why the FCC needs to test security too".
#3
*clap* *clap* *clap* a MongoDB database with no authentication?! These people should be sued! How careless can they be...?
Thanks For the VPS 7 FreeVPS.

My Post Count:

[Image: img.php?1&userid=13454]

FreeVPS Moderation Team - Make a thread in "VPS Help & Support" for any VPS related issues.

#4
What, really how can you not have authentication in your database if you are running a website.. That's just very carelessness.... Even very small site owner have this much of security concern and use an authentication...
#5
Can't be surprised, honestly, with all these companies neglecting their users' security.
I mean, take a look - IoT hacks are one of the largest ways for malware authors and malicious users to: a. get personal data and b. launch large botnets that have massive attack power.

I wonder why people even buy these "smart" devices - if they're connected to the Internet, they can be hacked.
I'm not going to be that person who throws up another signature which displays my posts for the month. My goal is to be active enough to reach the post requirements without staring at a counter thinking, "Great! I'm done my posts, I can log off until next month."

-- FlamesRunner

My website } { GitHub } { Contact me: andrew@andrew-hong.me }

#6
Some groups are hacking servers with MongoDB because in the default configuration it allows external connections without a password.

I never used MongoDB, but for people that use MySQL/MariaDB or the like, you can protect your Mysql server from external connections(if you don't need them off course).

I use the mysql variable skip_networking. It will ignore tcp/ip connection and only accept unix sockets.


Quote:--skip-networking

Does not listen for TCP/IP connections at all. All interaction with mysqld must be made using named pipes or shared memory (on Windows) or Unix socket files (on Unix). This option is highly recommended for systems where only local clients are permitted. See Section 9.12.5.2, “DNS Lookup Optimization and the Host Cache”.
#7
(2017-03-21, 1:41:08 pm)FlamesRunner Wrote: -snip-
I wonder why people even buy these "smart" devices - if they're connected to the Internet, they can be hacked.

Because people have no security sense whatsoever. The users typically have even less security sense than the people peddling these goods.
#8
What is it with IoT devices and security vulnerabilities. An unsecured database? Its like they didn't even try. IoT is becoming more synonymous to unsecure everyday.




Users browsing this thread: 1 Guest(s)

Switch to mobile version

Sponsors: Ftpit - ZXPlay - GalaxyHostPlus - Verelox- HostUS - Host4Fun - Evolution-Host - NodeBlade - HostDare - VPSMost


BitCoin donations: 1DQxbstaTb5SWk6QC2gFeQUTFR64JX4cEo