IoT security is usually a concern for businesses, but a recent security breach has parents worried about their children’s safety. A cybersecurity researcher discovered an open database that contains links to over two million voice messages that have been recorded by the owners of CloudPets toys. These stuffed animals let people record and send greetings through the toy or via a mobile app. The toys are mainly used by children to record messages for their parents and grandparents. The kids speak into a microphone inside the toy, and then their message is recorded and uploaded to cloud storage via a smartphone app. Parents and grandparents can listen to the message on a second CloudPets toy.
There are about 820 thousand CloudPets.com accounts. The uncovered database includes audio recordings from CloudPets users, and the profile pictures of children. The database also includes direct links to the recordings and anyone could have downloaded this data.
The voice recordings were exposed online because the toymaker used an insecure MongoDB installation that did not require any authentication to access. Researchers also say that one of the biggest flaws with CloudPets is that consumers weren’t using complex passwords to secure their accounts. Some users were even using the password “Cloudpets” to secure their accounts.
The California-based company, Spiral Toys, says it was notified about the breach in February. The database was accessed between December 2016 and January 2017. Consumers who have accounts on the CloudPets website should reset their passwords.
Although this data breach primarily impacts consumers, IoT device manufacturers should use this security incident to make sure their products are secure before they’re available to consumers. Device security should be prioritized because the consequences of a security breach can land companies in trouble with government agencies. For example, the FTC can take enforcement actions against Spiral Toys because the privacy of children was compromised in the breach.
Below are three tips that manufacturers can take to get consumers to secure their online accounts.
It is clear that in 2017, Endpoint Security is important to consumers and businesses alike. Consumers need to follow best practice guidelines by creating strong account passwords. IoT device manufacturers need to use endpoint security software to keep their devices secure from outside threats. With endpoint management, threats can be discovered before data is compromised.