A recent data breach of CloudPets, makers of connected teddy bears, left more than 2 million voice recordings of children and their parents exposed online. The culprit? A poorly-secured MongoDB database.
The breach was first reported in a blog post from Troy Hunt, a Microsoft regional director, on Tuesday. In his post, Hunt noted that the CloudPets data was stored in a MongoDB database in a network segment that was publicly facing, and that required no authentication. Further, the database was also indexed by Shodan, which Hunt described as “a popular search engine for finding connected things.”
The leak is only the latest of such incidents happening among connected children’s toys. In late 2015, VTech leaked personal information of children and their families, including names and addresses. Shortly before that, the Wi-Fi-connected Hello Barbie raised concerns about its security measures and, more recently, Germany moved to ban internet-connected dolls over hacking fears in January 2017.
SEE: Enterprise IoT Research 2017: Benefits, Trends, and Security Concerns (Tech Pro Research)
While this may seem like a cautionary tale for parents, there are some standard security takeaways for businesses here, too. First, and it should go without saying, is that your database must be properly secured and managed. Invest in hiring a solid database administrator who is security-minded and knows how to respond to potential breaches.
In his post, Hunt also noted that the two exposed databases were named “cloudpets-staging” and “cloudpets-test.” This, he wrote, highlights a major violation of best practices in that businesses should never put production data into a non-production system.
Overall, roughly 2.2 million recording were compromised. While the CloudPets parent company, Spiral Toys, was notified multiple times over, it only responded much later. Businesses should be listening to their customers and addressing their concerns, especially if a potential data breach is involved.
In his post, Hunt wrote that “one of the greatest difficulties I have in dealing with data breaches is getting a response from the organisation involved. Time and time again, there are extensive delays or no response at all from the very people that should be the most interested in incidents like this.”
In addition to responding late, the parents whose recordings were leaked were never notified of the breach. Hunt’s post said that the data from the toys was “accessed many times by unauthorised parties before being deleted and then on multiple occasions, held for ransom.” This further underlines the need for transparency in the affected organization, both to keep users informed and to remain accountable to best practices.
The CloudPets fiasco also sheds light on some standard security practices for users that were overlooked. According to the post, CloudPets stored the passwords as a bcrypt hash, which is a good thing, but the company had no rules for the strength of user passwords. For example, a user’s password could literally just be the letter “a.” Also because many users opted for common passwords, Hunt was able to crack them fairly quickly. Organizations should require complex passwords and further require that they be changed at regular intervals to encourage security.
When it comes to IoT and connected devices, many users may not understand the implications of how their data is being used. As Hunt noted with the parents of children using the CloudPets, “They don’t necessarily realise that every one of those recordings – those intimate, heartfelt, extremely personal recordings – between a parent and their child is stored as an audio file on the web.”
Companies would do well to educate their users on the how data is used in IoT, and explain the potential for some of these devices to be compromised. This could help cut down on potential shadow IT situations involving IoT. When you consider adopting such tools, you should assume they will be breached and take steps to fight against it, Hunt said.
The 3 big takeaways for TechRepublic readers
- Two MongoDB databases used by CloudPets connected teddy bears were breached, exposing 2.2 million voice recordings of parents and their children.
- The databases required no authentication, and the company had no password strength requirements for their users, creating an ideal situation for hackers.
- Users should be educated on proper security practices, and the implications of sharing data with connected devices.
Source: SANS ISC SecNewsFeed @ February 28, 2017 at 08:11AM