An internet-connected teddy bear that allows parents and kids to exchange heartfelt audio messages sounds like a great idea—until the parents' emails and passwords, as well as the message recordings themselves, are left exposed online to hackers.
That's what happened to an Internet of Things teddy bear made by Spiral Toys, as Motherboard reported on Monday. The company left a database containing customer data completely insecure. And as it turns out, the teddy bears themselves, part of the company's CloudPets brand, were insecure too, and could have been easily hacked.
"Anyone within range—10 meters with a normal smartphone—can just connect to it," Paul Stone, a security researcher who studied how CloudPets' toys work, told Motherboard in an email. "Once you're connected you can send and receive commands and data."
In other words, the teddy bears could be turned into a remote surveillance devices, or used to harass toddlers much like some insecure baby monitors were used to terrorize toddlers children in the past.
Stone, a researcher with the UK-based security firm Context, said the CloudPets' toys don't use any standard Bluetooth security features such as pairing encryption, when communicating back to their owner's smartphone's app. Anyone within range, Stone said, can connect to the toy, upload a message to the toy, "silently" trigger the toy's recording functionality, and "download the audio that the toy has recorded.
So if you have a smartphone with Bluetooth you can just connect to it and start sending audio messages to it. You don't even need to be within 10 meters (approximately 32 feet) if you use a directional antenna, according to Stone.
"Someone standing outside your house could easily connect to the toy, upload audio recordings, and receive audio from the microphone," Stone wrote in a blog post explaining his findings on Tuesday.
The researcher showed how he made the toy play whatever message he wanted in a video.
"Exterminate, annihilate, destroy," the unicorn-shaped pet toy says in the video.
To be fair, Stone said these toys are not "the perfect bugging device" because one can only record five messages of 40 seconds of audio with them, and you have to be within Bluetooth range. But it might be possible to change the time limit because the toys' firmware is not signed or encrypted so it can be overwritten by anyone, according to Stone.
"It would be possible to modify the firmware to make it into a better spying device," Stone told me.
The researcher said he had made multiple attempts to warn Spiral Toys of these issues since October, but didn't receive a response. I myself have had trouble talking to anyone at the company, including its CEO Mark Meyers, whom I called and messaged on Linkedin. Calls to the company's telephone numbers also went unanswered, and so did emails to its public addresses.
Meyers denied the data breach in an interview with Network World. Meyers also said he saw our attempts to get comment, but he never reached back because "you don't respond to some random person about a data breach."
Get six of our favorite Motherboard stories every day by signing up for our newsletter.