CloudPets’ IoT Toys Earn Scathing Security Audit

Sixteen months ago, Spiral Toys made headlines globally when an investigation revealed serious IoT security issues with its CloudPet toy. The company had been running an unsecured server which contained voice recordings of millions of children and parents, plus email addresses and passwords of nearly 1 million more CloudPet owners.

The company chose to ignore the concern and outcry about its IoT-enabled stuffed toys designed to interact with children. Auditors soon discovered that the toys lacked security measures to prevent hacking. Anyone could use the toys to communicate with children. Still, Spiral Toys did nothing.

More IoT Security Fails

Mozilla contracted cybersecurity researchers Cure53 to audit the toys and company. In addition to the existing security flaws, which the company refused to address, the audit found that a domain related to the toys had expired. This expiration left it open to phishing attacks. Someone then programmed the company’s phone number to disconnect callers, and their website wouldn’t load.

See also: IIC’s IoT security model helps fine-tune spending

“The company clearly does not care about users’ security and privacy violations and makes no effort to respond to well-meaning attack reports, further facilitating and inviting malicious actions against their users. In a world where data leaks have become more routine and products like CloudPets still sit on store shelves, I’m increasingly worried about my kids’ privacy and security,” said Mozilla Vice President of Advocacy Ashley Boyd.

Mozilla sent letters to Amazon and other retailers urging them to remove the toys from their shelves. So far Amazon, eBay, Target, and Walmart have complied.

Mozilla says the company’s refusal to respond to emails, answer calls or acknowledge the security problems illustrates one of the major problems facing the Internet of Things-manufacturers who don’t care about security.