Incident & Breach Response , Security Operations
Yes, Unicorns With Bluetooth Problems Really Do ExistSpiral Toys Dogged by More Allegations That It Ignored Security Warnings
Spiral Toys, the latest cloud-connected toy company to have experienced a serious data breach, was warned last October of a separate security lapse in its Bluetooth-enabled fluffy animals. The revelation adds to mounting concerns that the California-based company ignored warnings that its products were putting the privacy and security of users - both parents and children - at risk.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The alert was issued by U.K.-based Context Information Security, which conducted a technical analysis of a stuffed unicorn developed by Spiral Toys and found that any device within range could remotely connect to the toy via Bluetooth and begin listening.
Paul Stone, a security consultant with Context Information Security, writes that his company notified Spiral Toys about the vulnerability in October 2016 but received no response.
"After several emails, and messages to their Facebook and Twitter accounts, we've not yet had any response," Stone writes.
Dispute Goes Public
Stone went public with the flaws on Feb. 28 following findings that online MongoDB databases belonging to Spiral Toys were left unsecured. Some 2.2 million audio clips recorded by parents and children were at risk, along with hashed passwords for 821,000 accounts (see Don't Hug These Internet-Connected Stuffed Toys).
Security analysts have warned that some MongoDB databases are accessible online without requiring login credentials. Such vulnerable databases are easy to find using the Shodan search engine, which indexes internet-connected devices.
On occasion, hackers have copied and then deleted exposed databases, trying to extract a ransom from their operators. There are indications several actors also targeted Spiral Toys in this manner, copying the databases to a server they controlled before deleting the originals and leaving only a ransom note in the databases, according to a screenshot posted by IT consultant Niall Merrigan.
An unknown individual appears to have spotted the open MongoDB databases and alerted Spiral Toys on Dec. 31, 2016. According to Australian data breach expert Troy Hunt, who runs Have I Been Pwned, it appears that the vulnerable databases were taken offline, but not until Jan. 13.
Hunt says that Spiral Toys appears to have outsourced its application infrastructure to Romanian software development firm mReady. Officials at mReady couldn't be immediately reached for comment.
Spiral Toys appears to be disputing when it learned about related flaws. On Feb. 28, spokesman Harold Chizick said in a statement provided to Information Security Media Group: "Spiral Toys was notified about a potential breach on Feb. 22 and took immediate and swift action to protect the privacy of our customers."
Chizick added: "When we were informed of the potential security breach we carried out an internal investigation and immediately invalidated all current customer passwords to ensure that no information could be accessed. To our best knowledge, we cannot detect any breach on our message and image data, as all data leaked was password-encrypted. For the protection of our users we are now requiring users to choose new, increased security passwords. An email will be sent out informing customers of the potential compromised login data and will give them a link to create a new password."
Despite the company claiming it was only notified of the MongoDB breach on Feb. 22, multiple security experts individually said they have been trying to reach the firm since late December 2016, and they have posted related tweets and even filed a trouble ticket with Spiral Toys' help desk to document these efforts.
Chizick didn't immediately respond to a request for comment about the apparent discrepancy, or the claim from Paul Stone that his October 2016 Bluetooth-related warning received no response.
Apparent Timeline Disagreement
This apparent timeline contradiction will likely fuel more questions for Spiral Toys, including whether it has been paying sufficient attention to such warnings and responding in a timely manner.
The company has now notified California's state attorney general office, which posted online an unusual, undated security alert from Spiral Toys, apparently on Feb. 28. In it, the company appears to downplay the breach, saying it was misleading to say 2.2 million audio recordings and images have been leaked.
"The messages and images of a customer account could not be accessed unless a hacker 'guessed' the password," the notice reads.
Security researchers say the recordings and images are protected by an account password. The leaked passwords were encrypted with bcrypt, which password security experts say is fit for purpose - provided it is used correctly. But Hunt says Spiral Toys failed to set a minimum length for users' password selections. As a result, some users selected very short, weak passwords, which can be relatively easily cracked despite the use of bcrypt, Hunt says, adding that he's already been able to crack a large number of them, although he will not use or publish them.
Furthermore, the audio recordings were stored in an Amazon S3 cloud storage bucket, and simply knowing the file path of the recordings was all that was required to play them back, Hunt writes. Although it might be a challenge to learn the file path, Hunt says links to audio recordings were contained in the MongoDB databases that were apparently obtained by attackers as part of their ransom campaigns.
My Pet Bluetooth Spy?
Spiral Toys' CloudPets products - as cloud-connected devices - are far from the only internet of things devices that have been found to suffer from security problems.
While some of the problems relating to CloudPets tie to its cloud infrastructure, others relate to how technologies in the devices themselves have been implemented. Stone at Context Information Security, for example, analyzed how the CloudPets stuffed unicorn uses Bluetooth Low Energy to communicate with other devices. He contends that the implementation falls short by failing to implement even basic security controls.
"Anyone can connect to the toy, as long as it is switched on and not currently connected to anything else," Stone writes. "Bluetooth LE typically has a range of about 10 to 30 meters [11 to 33 yards], so someone standing outside your house could easily connect to the toy, upload audio recordings and receive audio from the microphone."
Stone also found fault with the device's firmware, the low-level code that acts as a liaison between a device's hardware and higher-level application software.
To prevent unauthorized firmware from running, the firmware should carry a digital signature that is verified and should also be encrypted, Stone writes. But CloudPets' firmware is neither signed nor encrypted, and it is only verified using a CRC16 checksum, he adds.
"Therefore it would be perfectly possible to remotely modify the toy's firmware," Stone writes. "However, given that it's already possible to turn the toy into a remote listening device using the built-in functionality, there's not much to be gained by modifying the firmware for nefarious ends."
Think of the Children
Worries have continued to mount concerning the security failures associated with IoT devices, including routers, digital video recorders and CCTVs, that can be easily hacked and used to build massive botnets. Many users, however, continue to purchase and use these low-cost and often poorly secured devices.
Many people would naturally assume that IoT devices designed to be used by children are better safeguarded against related security and privacy risks. Too often, however, that does not appear to be the case.
In December 2015, for example, Hong Kong toymaker VTech acknowledged that 5 million accounts connected with its various e-learning products had been compromised, including chat logs, profile photos of kids plus their names, genders, birthdates and addresses (see Toymaker VTech Hacked: 200,000 Kids' Data Exposed). Meanwhile, warnings have been raised about other internet-connected toys, including Mattel's Hello Barbie and the Cayla doll from Genesis Toys, among others.
Germany recently banned the Cayla doll because it implemented Bluetooth in an unsecured manner.
"Items that conceal cameras or microphones and that are capable of transmitting a signal, and therefore can transmit data without detection, compromise people's privacy," says Jochen Homann, president of the Bundesnetzagentur - Germany's telecommunications watchdog, in a statement. "This applies in particular to children's toys. The Cayla doll has been banned in Germany."
Unfortunately, vulnerabilities in internet-connected devices - including toys - will likely continue, says Bryce Boland, CTO for security firm FireEye in Asia-Pacific. He predicts ongoing frustration for consumers, most of whom will have little or no indication of deficiencies in products they choose to buy or use.
"This isn't the first case of toy manufacturers failing to protect their customers' information and it likely won't be the last," Boland says, referring to the CloudPets case. "The fact is, a baby's crib is required to meet more rigorous safety standards and testing than connected devices like baby monitors or connected toys."
Executive Editor Mathew Schwartz contributed to this story.