IoT teddy bear leaks parents’ and kids’ voice messages, email addresses and passwords - Polidicks

[QUOTE]A maker of Internet-connected stuffed animal toys has leaked a database of sensitive customer data. The leak includes more than 2 million voice recordings of children and parents, as well as e-mail addresses and password data for more than 800,000 accounts. The data was left in a publicly available database that wasn't protected by a password, according to a [URL="https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/"]blog post published Monday by Troy Hunt[/URL]. Hunt maintains Have I Been Pwned?, a website devoted to breach disclosure. He said searches using the Shodan computer search engine and other evidence indicated that, since December 25 and January 8, the customer data was accessed multiple times by multiple parties, including criminals who ultimately held the data for ransom. The data was exposed by Spiral Toys, maker of the CloudPets line of stuffed animals. The toys record and play voice messages that can be sent over the Internet by parents and children. The MongoDB database of almost 2.2 million voice records was stored by a Romanian company called mReady, which Spiral Toys appears to have contracted with. Hunt said that, on at least four occasions, people attempted to notify the toy maker of the breach. In any event, evidence left behind by the ransom demanders made it almost certain company officials knew of the intrusions. Hunt wrote: "It's impossible to believe that CloudPets (or mReady) did not know that firstly, the databases had been left publicly exposed and secondly, that malicious parties had accessed them. Obviously, they've changed the security profile of the system, and you simply could not have overlooked the fact that a ransom had been left. So both the exposed database and intrusion by those demanding the ransom must have been identified yet this story never made the headlines."[/QUOTE] [url]https://arstechnica.com/security/2017/02/creepy-iot-teddy-bear-leaks-2-million-parents-and-kids-voice-messages/[/url] Internet of shit strikes again.

[QUOTE=TheRealFierce;51884723][url]https://arstechnica.com/security/2017/02/creepy-iot-teddy-bear-leaks-2-million-parents-and-kids-voice-messages/[/url] Internet of shit strikes again.[/QUOTE] When is this shit going to be regulated?

I'm pretty sure that's class action lawsuit material.

[QUOTE=OmniConsUme;51884730]When is this shit going to be regulated?[/QUOTE] Not in this presidency!

[QUOTE=TheRealFierce;51884723]Internet of shit[/QUOTE] False. The dolls may have flaws but the article specifically mentions the database is online and hosted by mready. I actually read this article on another site with the whole exposé (It's on hacker news) and it's a classic case of installing mongodb rather than mongodb-enterprise + not turning off "let anyone read/write to this database via the web" Oh yeah also the company was on its last legs before doing this and they're definitely going down now.

[QUOTE=01271;51884823]False. The dolls may have flaws but the article specifically mentions the database is online and hosted by mready. I actually read this article on another site with the whole exposé (It's on hacker news) and it's a classic case of installing mongodb rather than mongodb-enterprise + not turning off "let anyone read/write to this database via the web"[/QUOTE] Well a flaw in how they handled their databases is still a flaw in IoT, at least how I see it. If manufacturers don't want to go through the effort of securing their databases, they shouldn't be selling IoTs.

Why would you want a teddy bear that connects to the internet in the first place? I know it sends messages from parents to kids, but honestly they could do that over the phone or on a webcam. Combining stuffed animals with the internet has always seemed silly to me. Also the fact that I own a Furby and I swear to god that thing is alive. It's watching, waiting for me to drop my guard. 10 year old me was a fool to trust their kind.

[QUOTE=jimbobjoe1234;51884983]Why would you want a teddy bear that connects to the internet in the first place? I know it sends messages from parents to kids, but honestly they could do that over the phone or on a webcam. Combining stuffed animals with the internet has always seemed silly to me. Also the fact that I own a Furby and I swear to god that thing is alive. It's watching, waiting for me to drop my guard. 10 year old me was a fool to trust their kind.[/QUOTE] If you're a parent that is always working and never has time to spend with your kid, spying on them through their toys is partially a security factor and also how you would learn about what they like to do. When I was young I would get phone calls from 'Santa' (my dad's friend) around Christmas and I would tell him everything I wouldn't tell my parents, especially if there was family drama. I didn't know that it would get leaked to my parents but it was how they found out deeper stuff about me. Its the same sort of principle with smart toys, but if they're left unsecured then you run the risk of creeps stalking your child.

This sounds very [URL="https://facepunch.com/showthread.php?t=1454844"]familiar...[/URL] Seriously though, what the fuck is up with all these toys recording shit?

[QUOTE=Megaman1811;51885138]This sounds very [URL="https://facepunch.com/showthread.php?t=1454844"]familiar...[/URL] Seriously though, what the fuck is up with all these toys recording shit?[/QUOTE] Well in this case it's basically voice mail, but that being integrated into e.g. a teddy bear of all things is just weird.

At the this point if you're buying IoT products you're basically contributing to botnets

IoT is the dumbest fucking trend of the last few years, you don't need a fridge with Windows 10 installed on it, you don't need a Teddy bear that monitors children, where has this obsession that [I]everything[/I] needs a fucking internet connection. What next? IoT bike helmets? I was going to say "IoT Pens" but I know that exists already.

[QUOTE=ZombieDawgs;51886436]IoT is the dumbest fucking trend of the last few years, you don't need a fridge with Windows 10 installed on it, you don't need a Teddy bear that monitors children, where has this obsession that [I]everything[/I] needs a fucking internet connection. What next? IoT bike helmets? I was going to say "IoT Pens" but I know that exists already.[/QUOTE] IoT lightbulbs is a thing too

[QUOTE=RocketRacer;51886771]IoT lightbulbs is a thing too[/QUOTE] How the fuck does that even work?

[QUOTE=TheRealFierce;51884880]Well a flaw in how they handled their databases is still a flaw in IoT, at least how I see it. If manufacturers don't want to go through the effort of securing their databases, they shouldn't be selling IoTs.[/QUOTE] Pardon friend? This is a problem with their central database isn't it? Not a problem with internet of things, more a problem with a shitty web developer/shitty database admin/shitty security. They might also be a shitty IOT developer but this does not prove that. They could have been selling self warming scarfs or chocolate teapots and still had the same problem - people sign up to your website/service, you store their details in your database (and passwords by the looks of it, unsure whether they at least encrypted the passwords) then someone realises your database is insecure. And IOT bear is a shitty idea but some stuff is p legit, especially for stuff like manufacturing or maintenance, using IOT you could detect and mitigate a problem faster than a human technician could. And sure a fridge is silly, especially if its done badly, but more and more people are demanding to be able to control/monitor stuff from their phone. People shouldn't take so much offence at IOT they should take offence toward IOT done badly.

[QUOTE=RaraKnight;51886788]How the fuck does that even work?[/QUOTE] Philips Hue Hub is connected to internet and you can interact with those using the app on a phone wherever you are.

[QUOTE=RaraKnight;51886788]How the fuck does that even work?[/QUOTE] Generally you don't control them from outside of the house. Some of them have the option to be controlled fully remotely though. They actually have various useful features, from being able to be lazy and change the lights in bed, to schedules (if you're not home you can have lights toggle to make it appear as if you were home), you can shut lights off you left on by accident, etc. You generally use them in counjunction with the original switch. Also comes in handy to have presets for various rooms. I have my lights turn on alongside my alarm to get my lazy ass out of bed

[QUOTE=RocketRacer;51886871]Philips Hue Hub is connected to internet and you can interact with those using the app on a phone wherever you are.[/QUOTE] [QUOTE=thejjokerr;51886804][url]http://www2.meethue.com/en-gb/[/url][/QUOTE] Well that's pretty neat if completely damn pointless. What is up with this trend, anyway? I'm all one for moving towards the future of science and technology but sometimes you just have to draw the line and stop.

[QUOTE=mdeceiver79;51886825]Pardon friend? This is a problem with their central database isn't it? Not a problem with internet of things, more a problem with a shitty web developer/shitty database admin/shitty security. They might also be a shitty IOT developer but this does not prove that. They could have been selling self warming scarfs or chocolate teapots and still had the same problem - people sign up to your website/service, you store their details in your database (and passwords by the looks of it, unsure whether they at least encrypted the passwords) then someone realises your database is insecure. And IOT bear is a shitty idea but some stuff is p legit, especially for stuff like manufacturing or maintenance, using IOT you could detect and mitigate a problem faster than a human technician could. And sure a fridge is silly, especially if its done badly, but more and more people are demanding to be able to control/monitor stuff from their phone. People shouldn't take so much offence at IOT they should take offence toward IOT done badly.[/QUOTE] An example of a (seemingly) well implemented IoT device is the washing machine my parents bought. It only connects locally and (although it has some random features such as notifying you when a load is done), one of the most useful features is it can give you notifications of various warnings, errors, etc. Anything found during self diagnosis will be reported to the phone making it a hell of a lot easier to manage. Best thing? It can do it all over LAN. You have the choice to make it able to be accessed via LG's servers or via LAN only.

[QUOTE=Pw0nageXD;51886890]Generally you don't control them from outside of the house. Some of them have the option to be controlled fully remotely though. They actually have various useful features, from being able to be lazy and change the lights in bed, to schedules (if you're not home you can have lights toggle to make it appear as if you were home), you can shut lights off you left on by accident, etc. You generally use them in counjunction with the original switch. Also comes in handy to have presets for various rooms. I have my lights turn on alongside my alarm to get my lazy ass out of bed[/QUOTE] iirc it also has an API which gives other apps the ability (with permission) change the lights. eg house parties at a friend of mine, the lights change hue and brightness with the music. For the fridge what if it could send you an alert when the temperature goes over x, implying its been left open? You don't need to predesign functionality - that takes time, money and ideas. You give others the option to do it. We see it with modding games, gmod and skyrim, mediocre on release they came into a world of their own. Not to sound pretentious but it has the potential to "democratise" technology in that it distributes power away from the manufacturer. I make my gimmicky IOT hardware and then other people can play with it and hack around with it. It improves IOT technology and it essentially crowd sources new features. Providing there is transparency (dont want someone using your fridge to mine bitcoin), regulation (dont want your fork telling monsato what you're eating) and correct security its a good thing... aside from the price for seemingly unnecessary "smart" whatevers.

[QUOTE=ZombieDawgs;51886436]IoT is the dumbest fucking trend of the last few years, you don't need a fridge with Windows 10 installed on it, you don't need a Teddy bear that monitors children, where has this obsession that [I]everything[/I] needs a fucking internet connection. What next? IoT bike helmets? I was going to say "IoT Pens" but I know that exists already.[/QUOTE] The singularity approaches, brother. You don't want to be a troglodyte, do you?

[QUOTE=Chonch;51887185]The singularity approaches, brother.[/QUOTE] Rise of the sentient pen is inevitable.

[QUOTE=Chonch;51887185]The singularity approaches, brother. You don't want to be a troglodyte, do you?[/QUOTE] If being a troglodyte means living in a rural area where my microwave doesn't post twitter statuses, then yeah? I really don't like the direction technology is taking. It wont be long until it's used maliciously and then we open a whole world of shit.

[QUOTE=mdeceiver79;51887191]Rise of the sentient pen is inevitable.[/QUOTE] "What is my purpose?" "You draw dickbutts" "Oh...oh my god."

[QUOTE=snookypookums;51887328] [QUOTE=mdeceiver79;51887191]Rise of the sentient penis inevitable.[/QUOTE] "What is my purpose?" "You draw dickbutts" "Oh...oh my god."[/QUOTE] William : "Today my pen, we will be drawing dicks" Pen : "Will, y me?" [editline]28th February 2017[/editline] [QUOTE=ZombieDawgs;51887316]If being a troglodyte means living in a rural area where my microwave doesn't post twitter statuses, then yeah? I really don't like the direction technology is taking. It wont be long until it's used maliciously and then we open a whole world of shit.[/QUOTE] On a serious note I think you have a point. One of the problems with this "smart stuff" is any risks/consequences/issues are hidden in 1000s of pages of legalese. There is no real consent. People buy a smart TV because "WOW ITS SMART" but then don't know that its spying on them and even sending [URL="https://arstechnica.com/security/2013/11/smart-tv-from-lg-phones-home-with-users-viewing-habits-usb-file-names/"]personal, private information from connected devices over the internet unencrypted[/URL] or stuff like [URL="https://www.youtube.com/watch?v=ubjuWqUE9wQ"]devs being lazy and not encrypting peoples data.[/URL] It gets mega creepy and we don't know what we're getting into, its made purposefully difficult to understand and, while they make exist, options for opting out aren't apparent. I fear we grow complacent in what we let people do with our information. For it to work we need to be smart about what we let companies do and companies need to treat us and our data with more respect. I advocate entirely for stuff to be automated and networked but only if the user has control over it and is educated about it. Things must be made as transparent as possible for this to work. Otherwise you get abusive as fuck TV manufacturers spying on people and selling information people never really consented to giving away, in my mind that no better than theft or voyeurism.