CloudPets offered up a way for parents to keep in touch with kids, even when they were away from the house. The idea was simple: Parents would record a voice message on their phone, CloudPets would upload it to the cloud (thus the toys’ name) and then send it to their kids’ plush toy to be played from a built-in speaker. Kids could then upload and send back a message of their own. As a commercial for the device promised, it was a “message you could hug.”
It wasn’t, unfortunately, a message that was very well protected. Motherboard writer Lorenzo Franceschi-Bicchierai has a lengthy post detailing the major lapses in security that left hundreds of thousands of users exposed and over two million recordings between children and their parents in the open.
The sins of CloudPets boil down to four key errors. First, the company was using MongoDB, an open-source database platform, and left its entire database out in the open, not even requiring a user to authenticate before gaining access. Anyone using a site like Shodan, which searches for devices connected to the internet, could have discovered it — and it appears that many did.
Two, CloudPets didn’t require users to use a strong password. So while CloudPets did take measures to obscure people’s passwords, users could use passwords as simple as “qwe” or that ol’ standby, “password.” Security researcher Troy Hunt ran the obscured passwords through a tool that tested them against the most commonly used passwords and was able to quickly crack many of them.
Of course, Hunt wasn’t the only one to figure this out. Forensic evidence shows that there were many others out there accessing the CloudPets database. Eventually, CloudPets hid its database from view, but it’s incredibly likely that ransomware authors accessed the database before this — thousands of sites using MondoDB were attacked with ransomware around the beginning of the year.
Three, CloudPets ignored four separate attempts to contact them about the security hole. Motherboard’s Franceschi-Bicchierai had someone contact him about the security flaw in late December, while also attaching an email they had sent to the company warning them. One of Hunt’s contacts made three separate attempts to alert the company.
Four, CloudPets failed to notify parents once they discovered what was going on — and a tremendous number of people could be affected. Per Motherboard, the database is currently being passed around the seedier corners of the internet. That database contains information on 821,396 registered users and 2,182,337 voice messages.
The voice messages weren’t actually in the database, but CloudPets made it trivially easy to figure out how to access them. The company used Amazon’s cloud servers, and it was easy to spoof the URL where a message would be be — again, without requiring authentication from anyone who wanted to view them.
“They were very irresponsible because they had to know about this. I have been ringing so many doorbells,” said researcher Victor Gevers to Motherboard. “People make mistakes. It’s the action that follows up which defines your character.”