CloudPets, the range of smart fluffy toys at the centre of a major data breach, also allow anyone within Bluetooth range to connect to it and record users' voices.
Not only has CloudPets maker Spiral Toys leaked over 800,000 passwords and 2.2 million voice recordings via an unsecured database, but the toys themselves don’t require authentication to pair a phone with them over Bluetooth Low Energy (LE).
This means that anyone with the CloudPets smartphone app can connect to a CloudPets toy, so long as the toy is on and not already connected to another phone.
The issue was disclosed today by Paul Stone, a researcher at security firm Context. Stone has advised parents to ensure the toy is turned off when not in use.
“Bluetooth LE typically has a range of about 10 - 30 meters, so someone standing outside your house could easily connect to the toy, upload audio recordings, and receive audio from the microphone,” he wrote in a post today.
"Our guidance is to switch the toy off when not in use."
Equally troubling, Stone says he’d spent five months attempting to report the issue to Spiral Toys, however he’s received no response.
He decided to reveal the authentication issue in light of yesterday’s breach disclosure by security researcher Troy Hunt. Hunt also criticized Spiral Toys for failing to respond to his warnings.
Stone said the issue he found and CloudPet’s database breach “show that little thought has been put into securing the product”.
Hunt found that Spiral Toys had stored CloudPets user recordings and children’s names in an Amazon service that didn’t require authorization to access. While the passwords were encrypted, CloudPets lacked minimum password requirements, making them easy to crack.
The lack of authentication for pairing is similar to what researchers found in the My Friend Cayla smart doll. Earlier this month Germany’s telecommunications regulator banned the doll after classifying it a “concealed surveillance device”.
Cayla, which answers kids' questions, connects via Bluetooth to a smartphone app that records what children say and transmits it to US-based speech recognition company, Nuance.
The Norwegian Consumer Council in December found that the doll didn’t require authentication to pair with the toy.
NCC has since called for EU-wide product safety regulations to encompass connected devices, as well as traditional issues such as choking and other safety risks.