back to article Two million recordings of families imperiled by cloud-connected toys' crappy MongoDB

Two million voice recordings of kids and their families were exposed online and repeatedly held to ransom – because an IoT stuffed-toy maker used an insecure MongoDB installation. Essentially, the $40 cuddly CloudPets feature builtin microphones and speakers, and connect to the internet via an iOS or Android app on a nearby …

  1. redpawn Silver badge

    Think of the Children

    Think how children would suffer if they didn't have the opportunity to be spied upon like their parents. Many adult toys can spy on you such as cars, tablets phones etc. A childhood without a taste of adult experience would leave them unprepared for their dystopian future.

    1. Warm Braw Silver badge

      Re: Think of the Children

      Far more entertainingly, think of the opportunity to add your own messages to the database to be played back to unsuspecting children and parents alike.

      1. Lotaresco

        Re: Think of the Children

        "Far more entertainingly, think of the opportunity to add your own messages to the database to be played back to unsuspecting children and parents alike."

        Someone has not just thought about it, they did it. The Cayla doll was hacked (easily) to make it a curse monster.

        Note that one of the really bad things about this is that the developers of Cayla put some thought into censoring Zuckerberg style the conversations that Cayla could have with a child, forbidding any mention of gay marriage for example, but couldn't be bothered to secure their trash-talking conduit to prevent someone "grooming" the child.

        I see you got a downvote, no idea why. Have an upvote to compensate.

        1. BillG
          Mushroom

          Child Neglect, Depraved Indifference, etc.

          Child Neglect, at the very least, comes to mind. Depraved Indifference is a charge that could easily stick.

          An example must be made. People at CloudPets must go to jail.

    2. ForthIsNotDead

      Re: Think of the Children

      "For example, a parent away on a work trip can open the CloudPets app on their smartphone, record an audio message, and beam it to their kid's toy via a tablet within Bluetooth range of the gizmo at home; the recording plays when the tyke press a button on the animal's paw."

      Or they could just call them on the fucking phone.

      1. Lotaresco

        Re: Think of the Children

        "Or they could just call them on the fucking phone."

        Wouldn't that qualify as paedophilia and incest?

        1. This post has been deleted by its author

      2. Kiwi Silver badge

        Re: Think of the Children

        Or they could just call them on the fucking phone.

        Or they could buy their pre-school kids a special toy where the kids can learn how to use very simple buttons to hear from dad/mum and leave a message for dad/mum.

        A phone is nothing special. But making teddy talk?

        (Ideally, the toy would have reasonable security behind it and a manufacturer who, if they screw up, admit it and deal with it quickly rather than trying to deny it when the stolen info is probably on TPB et al by now)

        [12hrs after original post - dunno how but I replied to and quoted the wrong message in my original post...]

    3. Anonymous Coward
      Anonymous Coward

      Re: Many adult toys can spy on you such as cars, tablets phones etc.

      Wait, what? Do we have the same concept of "adult toys"? Even if they have patented round corners, these may not be er, fit for purpose.

      1. Kiwi Silver badge
        Coat

        Re: Many adult toys can spy on you such as cars, tablets phones etc.

        Wait, what? Do we have the same concept of "adult toys"? Even if they have patented round corners, these may not be er, fit for purpose.

        Dunno.. Mate of mine said his x-missus could easily qualify as a "lose cannon"...

  2. Suburban Inmate
    FAIL

    Face. Fscking. Palm.

    For the sheer predictability of this omnishambles that was clearly obscured by dollar signs in the eyes of whoever signed off on the Bad Fucking Idea.

    I haven't caused any kids, but if I had I'd never let anything like this anywhere near them.

    1. Lotaresco

      Re: Face. Fscking. Palm.

      "I haven't caused any kids, but if I had I'd never let anything like this anywhere near them."

      What's irritating is how far back the warnings about Internet of Toys go back[1]. And even more scary is that their are fools out there using "Adult Toys" that connect to the internet without any form of security.

      [1] As others have pointed out the warnings go all the way back to the 1950s when science fiction authors thought about the implications of information technology and connectivity for toys.

    2. Mephistro Silver badge
      Angel

      Re: Face. Fscking. Palm.

      "I haven't caused any kids..."

      I thnk the correct word in this context is "perpetrated".

    3. Kiwi Silver badge

      Re: Face. Fscking. Palm.

      I haven't caused any kids, but if I had I'd never let anything like this anywhere near them.

      Most parents wouldn't let something near their kids that they believe is a serious risk. I can bet if you did have kids you'd probably have something near them without giving it a thought that others would make sure never got near their kids.

  3. a_yank_lurker Silver badge

    Incompetence

    The sheer stupidity of essentially no security is mind boggling. With this lack of security the backed db does not matter because there are far deeper design problems.

    1. 2+2=5 Silver badge
      Joke

      Re: Incompetence

      Yeah but... on the plus side, their backup regime is excellent as, clearly, they were able to restore after each wipe. ;-)

    2. Just Enough

      Re: Incompetence

      What's particularly gob-smacking is that apparently their data has been already hijacked 3 times for ransom. Why did they make no attempt to fix the situation the first, second or third times?

      'Hey boss, it's happened again!'

      'Oh FFS! Give them the money!'

      'Ok. We look at securing the database now?'

      'No. The chances of this happening yet again must be astronomical!'

      1. Boothy

        Re: Incompetence

        There was no mention of paying the ransom, so I'm guessing they just restored from a backup each time (as mentioned in the joke above).

        1. Bandikoto

          Re: Incompetence

          The data sounds ephemeral, so to speak. The cloud store exists to pass it along to the target device at the home where the toy lives. Had the black hats been more aggressive, I can just imagine little Sophia asking "Mommy, what does 'exsanguinate' mean?"

        2. John Brown (no body) Silver badge

          Re: Incompetence

          "There was no mention of paying the ransom, so I'm guessing they just restored from a backup each time (as mentioned in the joke above)."

          No. The ransom is cheaper than paying for proper backups. They are relying on anonymous others to take the backups on their behalf. Pay as you go restore backups.

      2. dgc03052

        Re: Incompetence

        "Why did they make no attempt to fix the situation the first, second or third times?"

        Your imagination just isn't up to the level of incompetence out in the field. They probably have something hard coded into the bears or apps that are out in the field... We just haven't heard about it because it doesn't happen with every access, just something like initial setup or reset (and seriously, why spend more time investigating their level of security).

    3. Anonymous Coward
      Anonymous Coward

      Re: Incompetence

      The sheer stupidity of essentially no security is mind boggling. With this lack of security the backed db does not matter because there are far deeper design problems.

      Oh, I think that designing it properly or hiring someone knowing something about security would, you know, cost money, so no way we're doing that....

  4. P. Lee Silver badge

    But it's Cloud!

    Doesn't that mean security is someone-else's problem?

    I don't think I'd have deleted the data - it clearly has little value.

    I think I'd have threatened to modify the recordings.

    Grandma will be most surprised at little Tyke's vocabulary.

    Cue sue-balls.

    Far more effective than holding Tyke's message to ransom.

    1. Anonymous Coward
      Anonymous Coward

      Re: But it's Cloud!

      I remember a sci-fi story (forget its name) where every child has a talking teddy that teaches them right from wrong, preventing crime..... One boys is reprogrammed by his father so the kid can be used to kill...

      Can you imagine a little kid where the teddy whispers to them dark thoughts as they play.... scary

      1. DNTP

        Re: But it's Cloud!

        Harry Harrison's "I Always Do What Teddy Says"

        Somehow it seems that I've been posting comments relating to this story a lot more in the last two years, children's toys are probably beyond the line where the current IoT craze should have stopped.

        1. Martin an gof Silver badge

          Re: But it's Cloud!

          Harry Harrison's "I Always Do What Teddy Says"

          The flip side of that is A Young Lady's Illustrated Primer in Neal Stephenson's The Diamond Age, a book which also contains somewhat sophisticated 3D printers...

          M.

  5. MrDamage

    If

    A security breach researcher can picture his daughter using a web-connected teddybear, I have strong doubts that he is actually a security breach researcher.

  6. allthecoolshortnamesweretaken

    And this, Charlie Brown, is what "cloud" is all about.

    Solutions looking for problems, with the added bonus of crappy security and new attack surfaces.

    As a side note, about the "it's hard to picture a more innocent scenario" bit - anyone who thinks that four year old girls are harmless hasn't been to kindergarten.

  7. Mark 85 Silver badge
    Facepalm

    Show of hands.... anyone surprised by this?

    1. Lotaresco

      "Show of hands.... anyone surprised by this?"

      Not when Pen Test Partners have been briefing about these vulnerabilities since 2014.

      They have some sensible advice about Cloud Pets on their website.

      1. Anonymous Coward
        Anonymous Coward

        "Not when Pen Test Partners have been briefing about these vulnerabilities since 2014.

        I have an indelible recollection from 35 years ago of a friend's 2 year old daughter confiding secrets to her doll.

        It doesn't take much imagination to see the dangers there.

      2. CrazyOldCatMan Silver badge

        They have some sensible advice about Cloud Pets on their website.

        Does it involve incineration, use of a lupara at short range or copious amounts of gunpowder?

  8. WibbleMe

    How exactly is MongoDB crap if the developer failed to secure it? The fact that you get warning messages in the MongoDB log file about it not being secured should be a giveaway.

    https://docs.mongodb.com/manual/administration/security-checklist/

    1. Phil O'Sophical Silver badge
      FAIL

      Yes, we all know everyone checks then logfiles to see if they've made a mistake when otherwise the system seems to be working perfectly.

      Any product that isn't secure out of the box when installed is unfit for purpose. If the developer has that cavalier an approach to security in general, what hope is there that the rest of the security "features" have ever been tested?

      1. HieronymusBloggs

        "Any product that isn't secure out of the box when installed is unfit for purpose."

        A developer who ignores basic security is unfit for purpose IMO. This is presumably someone who does this for a living, not just some random member of the public.

    2. Hans 1 Silver badge
      Windows

      The whole point is, there are IT admins and devs that are useless.

      The lack of hardening of the MongoDB sais it all about the IT team.

      The fact that they were saving recordings in WAV says it all about the devs, really, what a bunch of useless morons.

      I would fire the entire dev/IT team if I were in charge of that toy outfit, I would name and shame the guyz on the Internet, never to find a job in IT again.

      MongoDB could have provided idiot-proof defaults, then again, MongoDB have decided NOT to cater for idiots, that is their call.

      Log files is good, RTFM is much, much better ...

      The good news in all this, we get to:

      1. Know about data slurped by toy manufacturers being stored in the cloud .... for no obvious technical reason. The masses will probably react at some point ....

      2. Have a new company to add to our CV-scanner's blacklist

      1. Doctor Syntax Silver badge

        "I would fire the entire dev/IT team if I were in charge of that toy outfit"

        Those in charge are equally guilty. Either they paid no attention at all or ignored the risks. If you'd been in charge you should have been fired as well.

      2. pop_corn

        > "I would name and shame the guyz on the Internet, never to find a job in IT again."

        Right because you've never made an IT mistake, and all the rest of us are perfect programmers too, who sprang into the world with all the knowledge we have now?

        People learn far more from their mistakes than successes. Sure fire the IT dept, but can bet your boots those guys/girls won't make the same mistake twice. To suggest that for 1 mistake someone should lose their career, livelihood, then possibly their house and wife, is ridiculous.

        1. Alister Silver badge

          People learn far more from their mistakes than successes. Sure fire the IT dept, but can bet your boots those guys/girls won't make the same mistake twice.

          Except in this case, they obviously have, not once, but multiple times. Their databases have been deleted on several occasions, and replaced with warning messages, and they have had to restore the databases each time, and yet apparently, at no stage did they wonder why this was happening, or investigate ways to stop it.

          1. Boothy

            Quote: People learn far more from their mistakes than successes. Sure fire the IT dept, but can bet your boots those guys/girls won't make the same mistake twice.

            Except in this case, they obviously have, not once, but multiple times. Their databases have been deleted on several occasions, and replaced with warning messages, and they have had to restore the databases each time, and yet apparently, at no stage did they wonder why this was happening, or investigate ways to stop it.

            They are most likely different people/teams. The devs were probably hired to build the system, and have likely long since gone. Being replaced by a likely cheaper support team (or person), who probably doesn't know much about MongoDB itself.

        2. DropBear Silver badge
          Trollface

          "...then possibly their house and wife, is ridiculous."

          What sort of toxic environment has this site become to insinuate that only males (and homosexual females) could possibly be at risk and/or own a house, in such a grossly sexist manner?!? Outrage!!! /s

        3. Kiwi Silver badge

          but can bet your boots those guys/girls won't make the same mistake twice.

          I dunno.. Reading the article.. Seems like they made the mistake a few times over.....

          (I do agree with your post though, have an upvote)

      3. CrazyOldCatMan Silver badge

        I would fire the entire dev/IT team

        I think "sue the company into non-existance" would send the correct message.

      4. Anonymous Coward
        Anonymous Coward

        Log files is good, RTFM is much, much better ...

        Making it just work securely without the need to read either logfiles or TFM is better still.

    3. Smooth Newt
      Stop

      How exactly is MongoDB crap?

      How exactly is MongoDB crap if the developer failed to secure it? The fact that you get warning messages in the MongoDB log file about it not being secured should be a giveaway.

      MongoDB should have been designed for human beings to use, not the other way round - human beings should not have to be redesigned to safely use MongoDB. It is human nature to look for shortcuts, including not wading through log files and voluminous documentation if everything looks fine. If a product fails because the user doesn't do something, or does it wrong, then it should fail safely.

  9. Version 1.0 Silver badge
    Facepalm

    My ten cents...

    This is not a surprise - think about how products are developed, manufactured and sold these days:

    Someone knocked up a demo using an Arduino or similar, showed it to the boss who took it and ran with it, management saw potential and the development and marketing team was assigned. They simplified the whole thing, shipped the design offshore to be built really cheaply. The toy sells for $20 so the manufacturing and support cost is probably about $7 - back end IT support is probably seeing about 1% of that.

    Just how much security does 10 cents buy you?

  10. Anonymous Coward
    Anonymous Coward

    SQL 2000 had a blank password for the 'sa' admin too

    Looks like MongoDB is partying like it's 1999.

  11. Haku

    The rush to bring a product to market overlooked security?

    No surprises there.

    On a similar note it's probably about time encryption was introduced as a standard to the radio control hobby market, because it's apparently fairly easy to hijack someone's drone if you have the right kit with a bit of knowledge, and it wouldn't surprise me if someone decides they can make some money selling an easy to use drone hijacking device.

    There would be a danger it's a run-of-the-mill ~1kg camera drone being operated in the vicinity of pedestrians (which it probably shouldn't be), but could be so much worse if the drone in question were a large hexacopter / octocopter capable of carrying cinema quality cameras that weighs many kilos and can cost 10's of thousands.

  12. Mage Silver badge
    Flame

    Mongo DB is irrelevent

    Toys that connect to the internet at all should be illegal. Possibly they are

    Vtech gadgets

    Mattel: Been fined for website privacy of children users, never mind talking barbie

    others

    This is now common.

    1. Kiwi Silver badge

      Re: Mongo DB is irrelevent

      Toys that connect to the internet at all should be illegal.

      Why? While it would pretty much remove the need for IPv61 and get rid of the vast majority of trash2, what would making them illegal solve?

      1 For a great many people, their laptops, cellphones, computers, tablets etc are little more than "toys". If "all toys" were no longer allowed to connect to the internet, we'd see the end of probably the majority of home internet connections, thus a massive opening up in the availability of IPv4 addresses, and probably a significant drop in the number if ISPs as well. And yes, my home computing devices are "toys". If not, they would be "work" and therefore would not be "home" devices.

      2 Trash like malware, 85% of social media, 95% of youtube, 99.999999% of youtube comments....

  13. muddysteve

    How long is it going to be

    before events like this are so common they are no longer news?

    1. John Brown (no body) Silver badge

      Re: How long is it going to be

      That's already happened. But this is a tech site so it's still news here.

  14. bluefin333
    Childcatcher

    Harry Harrison - I Always Do What Teddy Says...

    Every story of this type reminds me of the short written in the mid 60's by HH. Only a few pages long, really worth a read and now not too far removed from today's treacherously tricky trendy teddy tech and some nations politics...

    1. LewisRage

      Re: Harry Harrison - I Always Do What Teddy Says...

      Just had a quick read, very appropriate and thoroughly enjoyable.

      1. Version 1.0 Silver badge

        Re: Harry Harrison - I Always Do What Teddy Says...

        Oh Lordy, I hadn't read that one before ... that's scary good!

  15. MrXavia

    What is the database doing exposed on the internet anyway? surely the only exposed bits of your entire system should be the required customer facing API's/web servers, and then only the required ports...

    Everything else should be locked down tight...

    1. phuzz Silver badge

      Exactly this.

      It would be helpful if MongoDB insisted on a password, but lets face it, we've all seen databases where there's only the admin user and they have a trivially guessable password, that's probably hardcoded in a bunch of places. Ideally, you don't want anyone except your web servers talking to the DB directly, and then you just have to worry about SQL injection and the like.

  16. druck Silver badge

    Waste of time

    Well at least trawling through gigabytes of children's random babbling to their toys, will keep any miscreant busy for a long time. The likelihood of a child reading out their parents full credit card number and CVV code are quite low, so financial losses are unlikely. As for privacy issues, parents should now know what sort of thing not to buy next Christmas.

    1. Jason Bloomberg Silver badge
      Black Helicopters

      Re: Waste of time

      As worrying as the leak and lack of security are; it seems difficult to imagine that there is much data which could be useful to anyone who got hold of it.

      "Hello dearest. Daddy's off to see the President to hand over the launch codes. If anything happens tell mummy to call Tigger and repeat 6734-12-83-9173-Charlie-Zulu. She'll know what that means. Night night, Sweetie-Pie".

      1. John Brown (no body) Silver badge

        Re: Waste of time

        "it seems difficult to imagine that there is much data which could be useful to anyone who got hold of it."

        From the link in the Reg article

        "the data sent to Lorenzo shows that along with references to their profile photos, it contained the names of children and their day and month of birth (although not year). It also contains relationships to parents and "friends" (i.e. grandmother, uncle) that have been authorised to share messages with the child."

        There's also the email address used to sign up. How many people use a childs, oets or reletives name or DoB as a password? The year may be missing from the DoB field but is guessable give or take a few years so easy to try a few. So, at the very least, a lot of email accounts might be directly at risk.

        Banks often uses mothers name etc as part of a verification process and the linked data includes the child's relatives and their relationship and if a miscreant already has access to your email account then a lot of relevant info is there for social engineering attacks. It's also quite likely that those same email addresses will have turned up on other data breaches too. Maybe someone with a young child has/had an Ashley Madison account. Should dolly tell child and reletives all about daddy's dalliances or will daddy pay to keep the doll quiet?

  17. Andy The Hat Silver badge

    What if I was a naughty person?

    This would this make a great comms medium for 'gangster' types.

    "Yes, I do love teddy bears officer, Bye ..."

    "Now Fingers Bear, go check out the doll's house ... and Cuddles can you help please?"

    Time passes ... Boss prods bear's paw ...

    "I'm stuffed Boss ..."

    Cue Starsky and Hutch type music and tyre squealing ...

    "No Officer, I don't know where that message came from or what it means. The bears must be on an insecure communications channel discussing toy houses and cuddly toy interiors ..."

  18. Anonymous Coward
    Anonymous Coward

    No worries, IoT peddlers have our backs, right?

    So why are consumers buying into:

    .....IoT,

    .....Win10,

    .....Android Smartphones / Tablets,

    .....Smart TV's (Vizio / LG / Samsung)???

    ~ Is it the same low hanging fruit who upload everything to Gmail and Facebook, Snap and Instigram because they don't care / say they've nothing to hide???

    ~ Lack of choice is part of it, and retailers and the media are complicit here. Stores need to be pressured into stocking privacy-healthy products... But when's that going to happen, when there's nothing more to leak???

  19. ZenCoder
    Joke

    Easy Way to Have the Problem Addressed

    Hack it to have the Teddy Bear repeat offensive statements about powerful but thin skinned US politicians and maybe also Erdoğan, Putin, Kim Jong-un, Abu Bakr al-Baghdadi, etc.

    Then again maybe someone already has explaining the lack of response to such an easily fixed problem.

    1. Destroy All Monsters Silver badge
      Windows

      Re: Easy Way to Have the Problem Addressed

      What IS the people's problem with Putin?

      Without Putin we would see Russia a stomping ground for US kleptocrats, neocons and super-imperialists who can't croak fast enough, the US with boots on the ground in Syria even under Black POTUS, drawing "red lines" while abrading the country to house foundation level with DU rounds -- and possibly even Hillary, who is literally the wench of Babylon with added pizza delivery service, in power.

      Be thankful for small mercies.

      1. John Brown (no body) Silver badge

        Re: Easy Way to Have the Problem Addressed

        and possibly even Hillary, who is literally the wench of Babylon with added pizza delivery service, in power.

        Be thankful for small mercies.

        I'm still not sure which is the rock and which is the hard place. One is the wench of Babylon, one is a guinea pig attempting to hatch an orange. One of them is in power, one of them isn't. Neither is a viable option.

  20. Destroy All Monsters Silver badge
    Childcatcher

    Completely unrelated

    All of this is Not Nice but can anyone explain to me what evil miscreants will do with several months of kids talking to their bears?

    (Let's just listen to some Message To Bears because why the hell not.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019