CloudPets’ IoT Toys Dealt Scathing Security Audit


Amazon and Walmart are among the retailers that have pulled CloudPets’ IoT-based toys off their shelves.

Sixteen months ago, CloudPets, IoT enabled stuffed toys that allow kids to interact with them, made headlines across the globe when it was revealed the company behind them, Spiral Toys, was running a completely unsecured server that stored the voice recordings of millions of children and parents along with the email addresses and passwords of nearly a million more.

Spiral Toys ignored the outcry and did nothing. Then it was discovered that the toys were easily hackable so that anyone could communicate with children through them. Spiral Toys again did nothing.

According to The Register, Mozilla contracted cybersecurity researchers Cure53 to do an audit on the toys and company. In addition to the existing security flaws, which the company still refused to respond to, the audit found a domain related to the toys had expired, leaving it open to be used in a phishing attack, the company’s phone number was programmed to disconnect callers, and their website was not reachable.

See also: IIC’s IoT security model helps fine-tune spending

“The company clearly does not care about their users’ security and privacy being violated and makes no effort to respond to well-meaning attack reports, further facilitating and inviting malicious actions against their users. In a world where data leaks are becoming more routine and products like CloudPets still sit on store shelves, I’m increasingly worried about my kids’ privacy and security,” said Mozilla Vice President of Advocacy Ashley Boyd.

As a result of the company’s apathy and irresponsibility, and the fact it’s not even clear if they are still in business, Mozilla sent letters to Amazon and other retailers urging them to remove the toys from their shelves. So far Amazon, eBay, Target, and Walmart have complied.

Mozilla says the company’s refusal to respond to emails, answer calls or acknowledge the security problems in any way is a good illustration of one of the major problems facing the Internet of Things-manufacturers who don’t care about security.

Sue Walsh

About Sue Walsh

Sue Walsh is News Writer for RTInsights, and a freelance writer and social media manager living in New York City. Her specialties include tech, security and e-commerce. You can follow her on Twitter at @girlfridaygeek.

Leave a Reply