The CloudPets saga has highlighted two major issues facing the connected world – open source databases and security by design.
It seems like a horror film remake of Toy Story – you can just imaging the movie tagline ‘first there was Barbie, now fear the teddy’. Unfortunately the CloudPets data breach is far removed from Hollywood, with parents waking up to the reality that their voices, and their children’s, could have been leaked.
The story, which has been strongly denied by CloudPets’ parent company, starts with Troy Hunt, author of the Have I Been Pwned data breach disclosure site, who disclosed that 2.2 million voice recordings of children and parents had been exposed in a data breach.
Leaked from a MongoDB database, the email addresses and password data for more than 800,000 accounts was also found to be exposed in the alleged breach.
READ MORE: Is your IoT teddy bear safe? MondgoDB data breach allegedly leaks and ransoms millions of kid’s voice recordings
Although the breach remains a contentious story – with the CloudPets parent company CEO stating that data breach reports ‘are completely false’ – what this news story proves is that internet-connected devices continue to be unsecure, painting a worrying picture for the IoT era and connected world we are set to inhabit.
The CloudPets saga serves to highlight two important areas – manufacturers and security and open source databases.
Tackling the first issue – it is clear from historic cases such as VTech and Barbie, that manufacturers are not following the security by design mantra chanted by the majority of security pros. It is clear that many manufacturers are not taking the necessary steps to secure IoT devices, nor giving any thought to the sensitive data which might be collected. Seeing as these toys are for kids, privacy should be paramount. Saying that there is little excuse for this on the manufacturers side, Bryce Boland, FireEye CTO, said:
“It’s not an isolated incident. This isn’t the first case of a toy manufacturers failing to protect their customers’ information and it likely won’t be the last. The fact is, a baby’s crib is required to meet more rigorous safety standards and testing than connected devices like baby monitors or connected toys.
“Companies need to bake security into the design of their products. Security can’t be an afterthought. Connected devices like these need to be designed assuming hackers will try to compromise them. They should be designed so that even if they are compromised and information is stolen, it is useless to the attacker.”
The CTO went on to issue a worrying forecast – that things will get much worse before they get better.
“It’s a safe bet that attackers will continue to move faster than manufacturers. In fact, this case could’ve been worse. Imagine attackers using the toys as Trojan horses to encrypt files on the home network and then demand a ransomware.
“I’m not typically a fan of regulation, but governments need to shift security from an economic externality to a cost of doing business. Until that happens, these events will continue to be common.”
CloudPets has also brought open source databases back into the headlines, with MongoDB only getting a couple weeks respite following ransomware attacks in January. Troy Hunt revealed on his blog that the breached CloudPets data had been leaked from a MongoDB database, a database which wasn’t password-protected or behind a firewall.
“As I like to call IoT, the IOMT as in internet of malicious things, news of the teddy bear leak hit on two main issues: 1) the growing use of open source databases, and 2) putting devices on the internet,” said Paul Calatayud, CTO at FireMon.
“MongoDB is becoming a common technology for use in e-commerce due to its flexibility and price (free). Like most things that are free, there are hidden costs in the form of no security confirmations or common security models. This results in what I call security regression, where the best practices become quickly forgotten in the rush to slap an application on the internet. Combine this with devices that are exposed to the internet you have a combination for a hackers paradise.”
CloudPets seems to be a case where profits trumped security. Use of a free unsecure database, coupled with no security by design on the manufacturing side, equals a data breach – and an easy one at that.
If we are to embrace the IoT world – entrusting connected devices with our children, our homes and our lives then significant investment needs to be channeled into security.
“Consumers need to be aware that it takes a lot of energy and investments to properly secure their information. If you have a sense the company may not be up to the task, you may want to think twice about what information you are sharing with them,” concluded FireMon’s Paul Calatayund.