Soft and sweet, but not very secure

The Internet of Things: Teddy Bear Edition

By Joe Gervais, Security Communications Director at LifeLock

Soft and sweet, but not very secure. That’s how you might describe the CloudPets “smart” teddy bear after news of yet another Internet of Things snafu. This one follows last week’s story about a potentially eavesdropping doll in Germany.

The tech and science news website Motherboard reports that Spiral Toys, a company that sells CloudPets internet-connected stuffed animals, left customer credentials and voice recordings exposed online for others to see and hear. The National Cyber Security Alliance (NCSA) called the incident involving 800,000 user accounts and 2 million voice recordings, “a major data breach.”

Your attention, please
 
NCSA Executive Director Michael Kaiser said the CloudPets breach illustrates the need to pay close attention to the data collected by connected toys, appliances, and cars as they become increasingly incorporated into our daily digital lives.

What is an internet-connected stuffed animal? It’s a child’s toy that plays back messages recorded on a smartphone app. The idea is for family members to record messages on their phones to be sent via the internet to the stuffed animal for the child to hear. The child can also record messages on the toy for others to hear remotely.

Got that?

Motherboard reports that since this past Christmas, until at least the first week of January, Spiral Toys left customer data of its CloudPets brand on a database that wasn’t behind a firewall or password-protected.

This is not the first time

What happened in this situation isn’t unique. In last week’s German IoT snafu, hackers could have taken over talking toys, and spoken directly to the child — also, reportedly, a possible threat in this latest issue. It was bad enough that a German consumer agency recommended that parents destroy the affected toys.

What’s the message here? As amazing as the Internet of Things might be, you have to be careful. LifeLock Chief Information Security Officer Neil Daswani says, “If I had to give one piece of advice to consumers, I would say, be careful about the new devices you bring into your home.”

Here’s what to do

The NCSA offers tips as you consider adding IoT devices to your life, including:

  • Learn how to maintain the cybersecurity of your IoT devices: Protecting smart devices like wearables, toys, and connected appliances might be different than securing your computer or smartphone.
  • Own your online presence: Understand what information your devices collect and how it’s managed and stored.
  • Lock down your login: Fortify your online accounts by enabling the strongest authentication tools available, such as biometrics, security keys or a unique one-time code through an app on your mobile device. Your usernames and passwords are not enough to protect key accounts like email, banking, and social media.
  • Pay attention to the Wi-Fi router in your home: Use a strong password to protect the device, keep it up to date and name it in a way that won’t let people know it’s in your house.