Speaking of insidious toys ...
https://www.theregister.co.uk/2017/02/2 ... base_leak/" onclick="window.open(this.href);return false;
Two million voice recordings of kids and their families were exposed online and repeatedly held to ransom – because an IoT stuffed-toy maker used an insecure MongoDB installation.
Essentially, the $40 cuddly CloudPets feature builtin microphones and speakers, and connect to the internet via an iOS or Android app on a nearby smartphone or tablet. Families can use the fake animals to exchange voice messages between their children, friends, and relatives.
For example, a parent away on a work trip can open the CloudPets app on their smartphone, record an audio message, and beam it to their kid's toy via a tablet within Bluetooth range of the gizmo at home; the recording plays when the tyke press a button on the animal's paw.
Similarly, the youngsters can record messages using the stuffed creature, and send the audio over to their mom, dad, grandparent, and so on, via the internet-connected app.
Cute ... How CloudPets passes messages from app to toy
These voice clips, along with records of 820,000 CloudPets.com accounts associated with the each of the toys, have been left wide open on the internet, with no password protection – allowing gigabytes of sensitive material to potentially fall into the hands of criminals. And it's all due to a poorly secured NoSQL database holding 10GB of internal information.
CloudPets' internet-facing MongoDB installation, on port 2701 at 45.79.147.159, required no authentication to access, and was repeatedly extorted by miscreants, evidence shows. The database contains links to .WAV files of voice messages hosted in the Amazon cloud, again accessible with no authentication, potentially allowing the mass slurping of more than two million highly personal conversations between families and their little ones.
It appears crooks found the database, presumably by scanning the public 'net for insecure MongoDB installations, took a copy of all the data, deleted that data on the server, and left a note demanding payment for the safe return of a copy of the database. This happened three times, we're told.
Of course, anyone else wandering by the database could have swiped the records for themselves and kept quiet, so the information potentially could be in the hands of just about any miscreant.
Computer security breach expert Troy Hunt, who maintains the HaveIBeenPwned website, was tipped off about the insecurity of CloudPets, a brand of Spiral Toys, and went public today with details of the cockup.
“This is kids' voices recorded on teddy bears,” Hunt told The Register after spending a week investigating the security blunder. “I can picture my four-year-old girl, sitting in her room – it's hard to picture a more innocent scenario – and all these actors have access to what she says to her teddy bear.”