As innovative as smart devices may seem, the Internet of Things still represents a vulnerability for your digital security and privacy. The latest case involves a smart teddy bear which was able to record the nearby kids and parents. Now, those millions of recordings have just leaked.
To make matters worse, besides the obvious breach of the owners’ privacy, the leaked data also contains the e-mail addresses and the account passwords for more than 800,000 users. According to Troy Hunt, the admin of Have I Been Pwned? a breach notification website, the leaked was left in a freely available database without any kind of protection.
Hunt also revealed that after making several searches using the Shodan computer search engine and analyzing other evidence, the leaked data has already been accessed many times by different parties. Among these, there were even criminals who have held that data for ransom, as all the recordings were freely available on hosting service owned by Amazon, which did not require any type of authorization to access.
The data was first exposed by Spiral Toys, which is the producer of the CloudPets line of stuffed animals. Those types of toys, such as the smart teddy bear, are able to record and play voice messages which can be sent through the Internet by both parents and children.
The 821,296 account records were kept a in a database maintained by mReady, a Romanian company contracted by Spiral Toys. Furthermore, Hunt revealed that users tried to notify the company on several occasions about the data breach. However, it is highly probable that Spiral Toys was already aware due to the evidence left behind by criminals who demanded ransom for the data.
This smart teddy bear leak is only the latest data breach involving IoT toys. Back in November 2015, toy maker VTech was involved in a similar breach that leaked the account data including names, e-mails, passwords as well as home addresses, of more than 5 million adults. Furthermore, the leak also revealed the names, birthdays and genders of over 200,000 kids.
The high risk of privacy violation and digital security vulnerabilities posed by IoT devices should give anyone pause in purchasing them, as it seems to outweigh all the benefits you may receive from this type of devices.
Image source: CloudPets