Rapidly changing technology makes it a wonderful time to be a child. Think of the amazing innovations at their disposal that weren't around when we were growing up. There are so many learning tools online that can help with their education, it should help make schooling a breeze.
The world of toys has also received a boost in modernization. One popular item is the advent of "smart toys," or Internet-of-Things (IoT) toys. However, you need to know that some of these toys are not safe to use.
Why CloudPets smart toys are unsafe
What we're talking about is an innocent looking teddy bear made by a California company called Spiral Toys. The problems lie with the company's CloudPets line.
Last week we told you that a Spiral Toys' database was not being protected by a password or Firewall and was breached by hackers. The database was stolen by cybercriminals and they are now holding it hostage, demanding Spiral Toys pay a ransom to get it back. If the ransom is not paid, the hackers could sell the stolen data on the Dark Web.
There were actually two separate breaches involved in this incident. The first database that was breached stored over 2 million voice messages recorded by the smart toys. Private conversations from families and recordings of children alone playing with the toy were all taken.
In the second breach, Spiral Toys leaked users' details of 800,000 accounts. The stolen data included both email addresses and passwords.
Now, we've learned the CloudPets toys are an even greater security risk. It turns out that the IoT stuffed animals are susceptible to being exploited remotely via Bluetooth.
Researchers at Context IS have shown it's possible to take control of a CloudPets toy via Bluetooth. Anyone within 100 feet of the toy can open a website on their computer or smartphone that is designed to help take control of the toy. This means someone could be standing outside your house and take control of one of these toys.
Watch the following video to see how anyone can take control of a CloudPets toy.
Note: If you are reading this article using the Komando.com App, click here to watch a hacker take control of a CloudPets toy.
The problem is, CloudPets toys have no security blocking hackers from taking control. A hacker could take over and play sounds through the toy or record conversations taking place inside your house. The hacker just needs to pair their gadget with the toy while they are in range. Scary!
One of the Context IS researchers said, "Anyone can connect to the toy, as long as it is switched on and not currently connected to anything else. Bluetooth LE typically has a range of about 10-30 meters, so someone standing outside your house could easily connect to the toy, upload audio recordings and receive audio from the microphone."
This isn't the first time an IoT toy has had security issues. Not long ago we warned you about the My Friend Cayla doll.
What you should do
With more and more of these IoT toys hitting the market, you really need to research them before purchasing for a loved one. If you have one of these CloudPets toys now, you should get rid of it immediately. Not only do they have ongoing security problems but the manufacturer isn't answering questions on how the problems are being dealt with.
The U.S. government has also taken notice of IoT toy security problems. Here are some suggestions you should follow:
- Be aware of what information is collected, whether or not it will be shared, and how long it's kept by the company.
- Research whether or not the toymaker has been a victim of data breaches in the past. If so, how was it handled?
- Change the toy's default passwords and privacy settings. Only allow the toy to collect the information necessary for the toy to run properly.