back to article CloudPets' woes worsen: Webpages can turn kids' stuffed toys into creepy audio bugs

As the world learns of its embarrassingly leaky customer database, internet-connected cuddly toy maker CloudPets is under further scrutiny. This time for not securing its gizmos against remote exploitation via the Bluetooth Web API. Basically, it is possible for a webpage to connect to CloudPets plushie, via Bluetooth in the …

  1. dbtx

    connected teddy bear outfit CloudPets

    wat

    1. Anonymous Coward
      Anonymous Coward

      Re: connected teddy bear outfit CloudPets

      Hmm, seems the bit I quoted was edited (clarified?) sometime after. I'm not questioning your choice of words, I'm merely remarking upon the absurdity of anyone running a business in that niche and by that name.

      not-really-Anon because I wanted the icon

  2. Anonymous Coward
    Anonymous Coward

    PR is cheaper than security

    See title

    1. MrDamage

      Re: PR is cheaper than security

      But not cheaper than lawsuits.

      Unfortunately, mobs like this will be a mere holding company, with zero assets, incorporated in the Cayman islands.

    2. Anonymous Coward
      Anonymous Coward

      'But not cheaper than lawsuits.'

      Sure, but are there laws in most jurisdictions to cover IoT...???

      Clever lawyers will just get the courts to blame stupid users etc...

    3. Christian Berger

      No, PR people are easier to hire

      It's not like you can't get decent developers for what PR people cost.

      All you need is people who know their limits. Since most of this is utterly trivial stuff, you just need the people who solve this in the most primitive way.

      1. BillG
        Megaphone

        Re: No, PR people are easier to hire

        CloudPets appears to be a holding company, the actual company that made these little privacy nightmares are Spiral Toys:

        http://spiraltoys.com/investor-info/#people

        CEO: Mark Meyers

        CTO: Jorge Freitas

        There is absolutely no mention of this security nightmare on the CloudPets or Spiral Toys websites.

  3. Pascal Monett Silver badge

    "given up after hitting silence"

    Those are the golden words that instantly make me put a company on my personal black list.

    Congratulations, CloudPets, I will now and forevermore not only not purchase any of your products but I will additionally express my opinion of your shoddy handling of this issue to everyone within earshot.

    Remember : mistakes can be forgiven, we are all human, but sweeping mistakes under the rug of silence cannot. That is a sign of a specific behavior : the inability to own up to one's mistakes. And if you can't own up, you'll never correct them.

    1. John Brown (no body) Silver badge

      Re: "given up after hitting silence"

      "Congratulations, CloudPets, I will now and forevermore not only not purchase any of your products but I will additionally express my opinion of your shoddy handling of this issue to everyone within earshot."

      Judging by the share price quoted in the original story, they may not be around long enough to suffer any consequences. If they do go under, I wonder how expensive those soon to be inert cuddly toys will seem? Although inert sounds a lot safer than the current situation, the owners are still going to feel ripped off.

      1. Pascal Monett Silver badge

        And the irony is that even after the company goes down, the vulnerability will still be there to eavesdrop on unsuspecting kids.

  4. Anonymous Coward
    Anonymous Coward

    The Stasi States' Childcatchers are live and well

    at all those TLA's and FLA's.

    Now where's that Icon ?

    Ah! Anon, but they know who we all are anyway.

    1. Lotaresco Silver badge

      Re: The Stasi States' Childcatchers are live and well

      "at all those TLA's and FLA's."

      Tut.

      I suspect you mean TLAs and ETLAs. Consider yourself admonished.

  5. Bentley Bear

    How will Privacy Shield or GDPR protect us against this ?

    It would be interesting to hear some views on this. Perhaps a comment from the ICO ?

    1. 0laf Silver badge

      Re: How will Privacy Shield or GDPR protect us against this ?

      They'll probably just seek consent through an obtuse set of Ts and Cs that you must agree to before you can use the toy.

      Consent is supposed to be 'informed' so there may be an argument there but any penalty wouldn't be as much had they not sought any consent at all.

      Under GDPR they may be open to larger fines but if they're in an non-EU country they'd probably just withdraw from the market rather than pay a fine.

  6. hplasm Silver badge
    Happy

    That bear...

    ... does he work for the Government?

    Said Mr Gruber.

    1. Warm Braw Silver badge

      Re: That bear...

      The Peruvian government.

  7. Anonymous Coward
    Anonymous Coward

    These are located in "the entertainer" shops on the aisle directly opposite the till so are being actively pushed at the moment along with some glimmer toys with an annoying video that plays on motion detection. There a nice picture of dad telling the kids he's going to be late from work (Oh, the cliché)

    What I want to know is,

    Why has this not been reported by the general media?

    Why have toy shops not stopped selling them?

    They are clearly defective in the sense that they can be used by others to record audio from inside your house. While unlikely in general it only takes someone in a semi living next door to someone with this to start snooping.

    I actually said to my partner when we saw them on Monday that it would be a cold day in hell before I buy one of those and I bet they get hacked. Took a day, well played cloud pets for fulfilling my expectations.

    1. fuzzie
      Devil

      Sounds to me there's great fun to be had walking into the store with your laptop, pwning their entire swarm of toys and getting them to mouth some less-than-family-friendly utterings.

      That's sure to get them off the shelves in double time :)

    2. Martin an gof Silver badge

      These are located in "the entertainer" shops on the aisle directly opposite the till so are being actively pushed at the moment

      Just went on The Entertainer's website and found that all five variants of Cloud Pets are "out of stock" so maybe they have seen the story and have withdrawn them from sale. I'm not popping into my nearest Entertainer store to check if they are still on the shelves!

      No obvious warning note on the website though, saying why they are no longer available or telling people to stop using them :-)

      M.

      1. Anonymous Coward
        Anonymous Coward

        While I can confirm that they appear to be currently out of stock on The Entertainer's website, it's also notable that the price is listed as £5.99 down from a scored-out £29.99- a massive reduction.

        (The archive.org copy of the page confirms they *were* actually selling them at that price.)

        So it's possible they genuinely are sold out because they were so cheap- but then, I'm curious as to why they'd have done *that* in the first place!

  8. Jason Bloomberg Silver badge
    Stop

    Grab the burning torches and pitchforks

    Scaremongering over the Bluetooth API is simply opportunistic agenda pushing; no better than criticism that a browser allows a web cam to be turned on when the user allows it to be turned on, accusing safety filters of not working when the user has explicitly disabled those, blaming a browser for allowing the upload of confidential files when the user decides to upload those files.

    Presumably the gun, rope, pills or razor blade - or those who sell such things - are to blame when some poor sod decides to top themselves.

    And I guess routers should not allow people to expose their networks to the public because bad things can then happen.

    I can agree there are some people who need help protecting themselves from themselves but that does not mean we need wide sweeping nanny-statism which prevents those who understand what they are doing from doing that. Just because El Reg doesn't like it doesn't mean that others don't.

    1. Dan 55 Silver badge

      Re: Grab the burning torches and pitchforks

      About the webcam: the browser can get pwned meaning that the pop-up asking for permission might not appear.

      About the Bluetooth API: As you can see here, a malicious web page can connect to remote devices and use them to obtain data. Obviously the paw pair confirmation thing was broken (it didn't do anything, and it takes a stupid kind of bastard to say that's OK, ship it, stupid because he's going to get caught out), but there are plenty of Bluetooth devices around where you can tell the product from its address and protocols and feed it the default pairing PINs or take advantage of exploits.

      The browser needs to get back in its sandbox.

    2. This post has been deleted by its author

      1. Lotaresco Silver badge

        Re: Grab the burning torches and pitchforks

        "I have two of these cuddly-toy-becomes-eves-droppers and to be honest I really couldn't care less. "

        Really, and when the "sad-o" tells your children that mummy and daddy don't love them anymore and that the only person to trust is Uncle Ernie who is sitting outside in his van with some nice sweets? He'll know exactly the right moment to get in touch because he'll have heard your child having a tantrum and screaming "I hate you!"

    3. Lotaresco Silver badge

      Re: Grab the burning torches and pitchforks

      "Scaremongering over the Bluetooth API is simply opportunistic agenda pushing;"

      <sigh> You may want to acquaint yourself with the facts before dismissing the valid security concerns over these things. The makers of the Cayla doll responded much as you have, complacently. Fortunately Germany takes these issues more seriously and the obnoxious doll has been removed from sale (in Europe at least). See this link for an overview of the isues:

      https://www.pentestpartners.com/blog/myfriendcayla-banned-are-all-listening-bluetooth-devices-set-for-the-bin/

      Cayla was an insecure Bluetooth headset disguised as a doll. However hacking Cayla could lead to the doll being used to groom children, abuse them (as in cyber bullying), estrange the children from their parents and to steal information that could be used for other purposes. If you think having someone spy on you in your own home isn't a bad idea, consider if you ever read out your payment card details within hearing range of a device.

      You also shouldn't be making casual assumptions about your child's right to privacy.

      Here's a description of the issue with Cayla and other listening devices:

      https://www.pentestpartners.com/blog/my-friend-cayla-updated-app-updated-security-fails-how-to-make-her-swear-again/

      Here's a BBC item about the same:

      http://www.bbc.co.uk/news/technology-31059893

    4. dbtx

      Re: Grab the burning torches and pitchforks

      "I can agree there are some people who need help protecting themselves from themselves but that does not mean we need wide sweeping nanny-statism..."

      Let's sit down sometime and have a good long talk about what human beings need and about how some desperate silicon pushers --who naturally need to keep selling ICs or else find they are milking a dry cow and maybe even have to write off all that preparation and experience and whatever all those patents might be worth-- are reaching new lows all the time.

      "Now, you needn't have studied marketing to know that there are two groups of people who can always be convinced to consume more than they need to: addicts and children. School has done a pretty good job of turning our children into addicts, but it has done a spectacular job of turning our children into children. Again, this is no accident..." --John Taylor Gatto, Against School

    5. Lotaresco Silver badge

      Re: Grab the burning torches and pitchforks

      "Scaremongering over the Bluetooth API is simply opportunistic agenda pushing;"

      I've come back to this because it's still annoying me. This wasn't scaremongering over the Bluetooth API as such, it's a discussion of the flaws that were introduced by a manufacturer's implementation of security. From the article:

      "Basically, it is possible for a webpage to connect to CloudPets plushie, via Bluetooth in the computer or handheld viewing the page, without any authentication"

      You see that part in bold? That's the important detail, no authentication required. This is a common failing in the Internet of Toys domain, the manufacturers do not provide even the most basic security measures. It's an implementation issue.

      1. Jason Bloomberg Silver badge

        Re: Grab the burning torches and pitchforks

        I've come back to this because it's still annoying me. This wasn't scaremongering over the Bluetooth API as such

        Except for the sub-headline; "Warnings about leaky Bluetooth Web API all-too-accurate".

        That appears to me to suggest the Bluetooth Web API is at fault here.

        From the article: "Basically, it is possible for a webpage to connect to CloudPets plushie, via Bluetooth in the computer or handheld viewing the page, without any authentication"

        Yes; and that's a failure of authentication, not a failure of the Web Bluetooth API. I would refer you to the post below from pdjstone; "Author of the blog here ... I don't think there's anything particularly bad about Web Bluetooth itself (Chrome pops up a prompt and the user has to explicitly choose a device to connect to)".

        There is no automatic means for a web page to automatically connect to any Bluetooth device, including CloudToy. That requires human intervention.

        1. Charles 9 Silver badge

          Re: Grab the burning torches and pitchforks

          Unless, of course, your computer is owned and can do it FOR YOU.

  9. Mr Dogshit

    ClownPets

    LOL

  10. Lotaresco Silver badge

    As I mentioned in another thread...

    There is already excellent advice available about what to do.

    1. Voland's right hand Silver badge

      Re: As I mentioned in another thread...

      You can skip to point 6 in that. Straight away.

      My kids know how Google, Facebook and other similar outfits make their money from a very early age.

      It is the same education our parents gave us regarding what to do about a strange man giving out sweets to children in the park. Just for the digital age - using Google and Facebook as prime examples.

  11. pdjstone

    Author of the blog here - just to be clear the Unicorn itself doesn't use Web Bluetooth. It uses regular Bluetooth LE. I don't think there's anything particularly bad about Web Bluetooth itself (Chrome pops up a prompt and the user has to explicitly choose a device to connect to), I simply used it as a quick and fun way to demonstrate the vulnerabilities in the toy.

    1. no-one in particular

      Re: I don't think there's anything particularly bad about Web Bluetooth itself

      > Chrome pops up a prompt and the user has to explicitly choose a device to connect to

      But isn't "the user" in that statement the Bad Man? So presenting him with a prompt and a choice of delicious low-hanging fruit is hardly any form of security.

  12. sorry, what?
    Joke

    IoT...

    Short for idIoT.

    Or perhaps "Interception over Toy"?

    1. dbtx
      Coat

      Re: IoT...

      given "upload audio recordings", seems more like Inception.

  13. Jonathan 27 Bronze badge

    This product was and always has been a terrible idea. I can't think of a better example of marketing people refusing to pay attention to what engineers told them.

    1. Anonymous Coward
      Anonymous Coward

      Outlook Express.

  14. Howard Hanek
    Childcatcher

    Pedophiles

    Love children's toys too it seems.

  15. Cuddles Silver badge

    Range

    "Bluetooth LE typically has a range of about 10 - 30 meters"

    No it doesn't. Class 1 industrial use has a typical range of 20-30m, class 2 use as seen in pretty much all mobiles, toys, and so on, is typically no more than 5-10m, with 30m being the absolute maximum under ideal conditions. Someone connecting to a child's toy at long range from outside your house is effectively impossible. Even connecting to one from the other side of a room is likely to be pushing it most of the time. There's a reason the video shows someone sitting next to the toy with his laptop

    This kind of unsecured bluetooth might be useful for targeted attacks, but no-one is going to be driving around the neighbourhood trawling for bluetooth connections since, unlike wifi, they'd never be able to find a signal strong enough. Connecting from some other compromised device that spends time nearby could work, but at that point you'd probably have the relevant credentials anyway if you actually needed them.

    1. Jason Bloomberg Silver badge

      Re: Range

      Someone connecting to a child's toy at long range from outside your house is effectively impossible.

      I am not convinced of that. Not sure what 30 metres is in El Reg units, but it's about 100 foot in old money. I worked with BT/BLE and our scanning application using an off-the-shelf Bluetooth dongle detects neighbour's equipment three doors down and people walking past the office.

    2. tekHedd

      Re: Range

      If the house was built with foil vapor lock (as mine is), it greatly reduces bluetooth range from outside the house. It's like a tinfoil hat for your house!

      That said, it is always possible to build directional antennas.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020