Connected toy manufacturer suffers data breach

03/03/2017
G DATA Blog

Manufacturer "Spiral Toys“ sells connected soft toys under the "Cloud Pets" brand. The toy transmits voice recordings between parents and their children. A massive data leak has now resulted in the exposure of this personal information to unauthorized individuals. About 800.000 registered users are affected.

Some background details

It is not a new fact that providers of voice services store and process voice data online. Everyone who has ever used Apple's Siri or Amazon Echo has also used such this type of infrastructure. Voice services are increasingly important and this trend shows no sign of slowing down. Those services offer many advantages but also harbor a certain risk potential, as Ralf Benzmüller pointed out in his article on the official start of sales for Amazon Echo in Germany (source article in German). Providers constantly strive to protect any of the data from unauthorized access to the best of their abilities. The potential damage inflicted by a data breach is catastrophic, both for providers as well as affected customers.
The current case of the Spiral Toys data breach clearly shows the consequences of such an event. Security researchers became aware that a database of the manufacturer was connected to the internet with no authentication at all. This database also contained the voice recordings that were transmitted back and forth between children and parents. The data was exposed to anyone who knew the corresponding web address.

Good intentions, crucial mistakes and bad timing

In all, two databases with nine GB of data combined were exposed over a time span of several weeks. Security expert Troy Hunt explains that the names of the database support the conclusion that those databases were not intended for production use. Having such test systems is not uncommon, but two critical mistakes were made: for one, test systems must never, under any circumstances contain real customer data. Also, the manufacturer failed to follow an essential part of the MongoDB security recommendations: protecting the database from unauthorized access by implementing an authentication system.

The database itself does not only contain the voice recording, but also user names and passwords. Even though Spiral Toys' choice of hashing algorithm is sound, it turns out that no password guidelines existed. This made it possible to create a password which consisted of one single character. The platform also allowed passwords which have been known to be insecure for years, such as "123245", "qwerty" or "password".

Another factor which contributed to the situation is the fact that incorrectly configured MongoDB instances have been a preferred target of criminals for the last couple of weeks. They have encrypted those insufficiently secured and connected databases en masse using ransomware and demanded ransom payments to decrypt them. Similar misconfigurations have lead to other prominent data breaches at ISPs and mobile carriers.

Effects and consequences

The current case will primarily cause the manufacturer to fall on economically hard times. The company's stock price has plummeted to about 0.5 cents per share since the reports on the data breach first emerged. On the customer side the current events will have an impact on the level of trust in cloud connected toys. In Germany, the Federal Network Agency (Bundesnetzagentur), a privacy watchdog, has recently banned the sale and distribution of „My Friend Cayla“ (another cloud-connected toy doll). It was found to be an espionage tool and as such it violates the German Telecommunications Act.
We also find one of our predictions for 2017 confirmed, which was that cloud providers and services will increasingly be under attack, resulting in data breaches.