CloudPets

Last updated

CloudPets was an Internet-connected soft toy manufactured by now defunct Spiral Toys that was the subject of numerous security vulnerabilities in February 2017. [1] [2] The plush teddy bear-style toys used Bluetooth to connect to a parent's smartphone to allow distant family members to send voice messages to the toy, and allow children to send voice messages back. [3]

Security researchers demonstrated that the toy itself was insecure and could be trivially accessed via Bluetooth. The personal records of over 820,000 owners of the toy [4] were stored in an insecure MongoDB database. Attackers also replaced the database with a ransom demand pointing to a Bitcoin address. [5] Data retrieved from the CloudPets database was sent to the Australian security researcher Troy Hunt who included it in Have I Been Pwned?, a database of users whose data has been compromised. The database of user records also contained links pointing to over 2.2 million audio files hosted on Amazon Web Services containing the voice messages sent to and from the toys. [4] [6] Hunt stated that the database hack was "ridiculously easy". [7]

Following disclosure of security vulnerabilities, CloudPets started enforcing stronger password requirements on users of the service—they had previously not enforced any password complexity requirements and their documentation had suggested short, weak passwords. [3] Numerous journalists and security researchers including Hunt noted that the company was non-responsive to disclosures from security researchers and enquiries from journalists. [4]

See also

Related Research Articles

<span class="mw-page-title-main">Password</span> Used for user authentication to prove identity or access approval

A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services that a typical individual accesses can make memorization of unique passwords for each service impractical. Using the terminology of the NIST Digital Identity Guidelines, the secret is held by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.

Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface. Constructs in programming languages that are difficult to use properly can also manifest large numbers of vulnerabilities.

Mutual authentication or two-way authentication refers to two parties authenticating each other at the same time in an authentication protocol. It is a default mode of authentication in some protocols and optional in others (TLS).

A password manager is a computer program that allows users to store and manage their passwords for local applications or online services such as web applications, online shops or social media. A web browser generally has a built in version of a password manager. These have been criticised frequently as many have stored the passwords in plaintext, allowing hacking attempts.

RockYou was a company that developed widgets for MySpace and implemented applications for various social networks and Facebook. Since 2014, it has engaged primarily in the purchases of rights to classic video games; it incorporates in-game ads and re-distributes the games.

The 2012 LinkedIn hack refers to the computer hacking of LinkedIn on June 5, 2012. Passwords for nearly 6.5 million user accounts were stolen. Yevgeniy Nikulin was convicted of the crime and sentenced to 88 months in prison.

Yahoo! Voices, formerly Associated Content, was hacked in July 2012. The hack is supposed to have leaked approximately half a million email addresses and passwords associated with Yahoo! Contributor Network. The suspected hacker group, D33ds, used a method of SQL Injection to penetrate Yahoo! Voice servers. Security experts said that the passwords were not encrypted and the website did not use a HTTPS Protocol, which was one of the major reasons of the data breach. The email addresses and passwords are still available to download in a plaintext file on the hacker's website. The hacker group described the hack as a "wake-up call" for Yahoo! security experts. Joseph Bonneau, a security researcher and a former product analysis manager at Yahoo, said "Yahoo can fairly be criticized in this case for not integrating the Associated Content accounts more quickly into the general Yahoo login system, for which I can tell you that password protection is much stronger."

In July 2015, an unknown person or group calling itself "The Impact Team" announced they had stolen the user data of Ashley Madison, a commercial website billed as enabling extramarital affairs. The hacker(s) copied personal information about the site's user base and threatened to release users' names and personal identifying information if Ashley Madison would not immediately shut down. As evidence of the seriousness of the threat, the personal information of about more than 2,500 users was initially released. The company initially denied that their records were insecure, and continued to operate.

My Friend Cayla was a line of 18-inch (46 cm) dolls which used speech recognition technology in conjunction with an Android or iOS mobile app to recognize a child's speech and perform conversations with users. The doll used the internet to search what the user said, and then responded with data that it found online. My Friend Cayla was created by Bob Delprincipe, inventor of Cindy Smart and Tekno the Robotic Puppy. The doll is banned in Germany, since the German government considers it to be a surveillance device.

<span class="mw-page-title-main">Have I Been Pwned?</span> Consumer security website and email alert system

Have I Been Pwned? is a website that allows Internet users to check whether their personal data has been compromised by data breaches. The service collects and analyzes hundreds of database dumps and pastes containing information about billions of leaked accounts, and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future dumps. The site has been widely touted as a valuable resource for Internet users wishing to protect their own security and privacy. Have I Been Pwned? was created by security expert Troy Hunt on 4 December 2013.

<span class="mw-page-title-main">Troy Hunt</span> Australian web security expert

Troy Adam Hunt is an Australian web security consultant known for public education and outreach on security topics. He created and operates Have I Been Pwned?, a data breach search website that allows users to see if their personal information has been compromised. He has also authored several popular security-related courses on Pluralsight, and regularly presents keynotes and workshops on security topics. He created ASafaWeb, a tool that formerly performed automated security analysis on ASP.NET websites.

Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords, and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to use brute force or guess any passwords – the attacker simply automates the logins for a large number of previously discovered credential pairs using standard web automation tools such as Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet.

Cloudbleed was a Cloudflare buffer overflow disclosed by Project Zero on February 17, 2017. Cloudflare's code disclosed the contents of memory that contained the private information of other customers, such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. As a result, data from Cloudflare customers was leaked to all other Cloudflare customers that had access to server memory. This occurred, according to numbers provided by Cloudflare at the time, more than 18,000,000 times before the problem was corrected. Some of the leaked data was cached by search engines.

Connected toys are internet-enabled devices with Wi-Fi, Bluetooth, or other capabilities built in. These toys, which may or may not be smart toys, provide a more personalized play experience for children through embedded software that can offer app integration, speech and/or image recognition, RFID functionality, and web searching functions. A connected toy usually collects information about the users either voluntarily or involuntarily, which raises concerns on the topic of privacy. The data collected by the connected toys are usually stored in a database, where companies that produce connected toys can use the data for their own purposes, provided they do so in line with the protections outlined in the Children's Online Privacy Protection Act (COPPA).

Criticism of Dropbox, an American company specializing in cloud storage and file synchronization and their flagship service of the same name, centers around various forms of security and privacy controversies. Issues include a June 2011 authentication problem that let accounts be accessed for several hours without passwords; a July 2011 privacy policy update with language suggesting Dropbox had ownership of users' data; concerns about Dropbox employee access to users' information; July 2012 email spam with reoccurrence in February 2013; leaked government documents in June 2013 with information that Dropbox was being considered for inclusion in the National Security Agency's PRISM surveillance program; a July 2014 comment from NSA whistleblower Edward Snowden criticizing Dropbox's encryption; the leak of 68 million account passwords on the Internet in August 2016; and a January 2017 accidental data restoration incident where years-old supposedly deleted files reappeared in users' accounts.

Collection #1 is the name of a set of email addresses and passwords that appeared on the dark web around January 2019. The database contains over 773 million unique email addresses and 21 million unique passwords, resulting in more than 2.7 billion email/password pairs. The list, reviewed by computer security experts, contains exposed addresses and passwords from over 2000 previous data breaches as well as an estimated 140 million new email addresses and 10 million new passwords from previously unknown sources, and collectively makes it the largest data breach on the Internet.

Data breach incidences in India were the second highest globally in 2018, according to a report by digital security firm Gemalto. With over 690 million internet subscribers and growing, India has increasingly seen a rise in data breaches both in the private and public sector. This is a list of some of the biggest data breaches in the country. This was reported stealing over 500 Million credit cards.

References

  1. Mathews, Lee. "The Latest Privacy Nightmare For Parents: Data Leaks From Smart Toys". Forbes. Retrieved 2017-08-06.
  2. Kan, Michael. "Smart teddy bears involved in a contentious data breach". Network World. Archived from the original on March 1, 2017. Retrieved 2017-08-06.
  3. 1 2 Hern, Alex (2017-02-28). "CloudPets stuffed toys leak details of half a million users". The Guardian. ISSN   0261-3077 . Retrieved 2017-08-06.
  4. 1 2 3 Larson, Selena (2017-02-27). "Stuffed toys leak millions of voice recordings from kids and parents". CNNMoney. Retrieved 2017-08-06.
  5. "Children's messages in CloudPets data breach". BBC News. 2017-02-28. Retrieved 2017-08-06.
  6. "CloudPets' data breach underlines need for secure cloud apps". ComputerWeekly. Retrieved 2017-08-06.
  7. Cooper, Luke (2017-02-28). "Millions Of Private Messages Between Parents And Kids Hacked In Cloud Pets Security Breach". Huffington Post. Retrieved 2017-08-06.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.