Does everything have to be connected to the Internet? Even children’s toys? The case of the CloudPets discovered by security researcher Troy Hunt at the beginning of this year set a warning sign: Over two million voice messages from parents and their children were found unprotected on the servers of the CloudPets provider. More than 800,000 users were affected. But this clearly shows also that such IoT toys are very popular. Reason enough for AV-TEST to let the cat out of the bag in the IoT labs again to check for improvements. Meow…

The February-Leaks

The CloudPets are Bluetooth-enabled smart toys. Parents and their children can send each other voice notes really simple. In February, email addresses, passwords and voice recordings of CloudPets users were leaked. The data of more than half a million users have been compromised, alongside with more than 2 million of voice recordings of children and adults. The CloudPets database (MongoDB) was publicly visible – no username or password was required. A few days later, malware deleted the database, but some dumps are still downloadable. As AV-TEST research showed, these problems have now been fixed by the manufacturer and conversation was encrypted during our Quick Test. However, several problems remain.

Communication improved

The initial setup requires the date of birth and an email address of one parent. The month and day of birth of children have to be entered as well as their first name and a nickname. The phone connects to the CloudPet via Bluetooth LE. Voice notes can be recorded either via the app or via the CloudPet itself. After recording, they can be sent to the CloudPet via Bluetooth or to other parent’s mobile devices via internet, who can send them to their CloudPet manually. The CloudPet itself has no direct connection to the internet.

The whole app communication was SSL-encrypted, but there was no kind of certificate validation or pinning. This offered us the possibility to break the encryption and inspect the communication.

The whole app communication is SSL-encrypted.
The whole app communication is SSL-encrypted, but not secured against man-in-the-middle attacks

Voice recordings were automatically uploaded to an Amazon AWS server in WAV-format. Once uploaded, they are downloadable without any authentication. The only “protection” is a pretty long file name containing unique ID(s). If you have enough computing power and time, you could start a brute force search for voice files by trying each possible ID. However, this attack may not be practical.

Delete ineffective

If a recording is deleted in the app, it will be removed from the phone. But we observed, that the uploaded files remained online. Even weeks after testing, voice recordings, that were deleted via the app, were downloadable – probably forever. The recordings on the smartphone are stored in the local app’s folder, where bcrypt-hashed account credentials are stored as well.

Caused by the missing certificate pinning, man-in-the-middle attacks were possible. We managed to intercept the traffic and spoof another WAV-file to the smartphone if it was requested from the Amazon cloud. A vicious attacker could intercept your regular app traffic (containing the WAV-file) and inject an alternative voice file – containing a threatening message for your child.

A vicious attacker could intercept your regular app traffic.
A vicious attacker could intercept your regular app traffic.

The Bluetooth based communication can be hacked easily, because no authentication process is implemented into CloudPets. Paul Stone described in detail, which information can be gathered or written to the devices. The CloudPets have five storage slots for audio recordings, which can be used e.g. by the Chrome Web Bluetooth API. With the linked github-page we were able to control the integrated LED as well as the volume – which can’t be set via the original CloudPets app. Paul Stone’s demo website also allowed our Android device to upload audio to the toy and to trigger the playback and recording on the device. It could be upgraded to a bugging device with a little effort – without the owner’s knowledge. If you have a computer or laptop with a Bluetooth chipset and Chrome running, you can use this technique as well.

Demo Web Bluetooth Website
Demo Web Bluetooth Website

Privacy

The registration process contains only necessary data. The Android app permissions also don’t show any abnormalities. The privacy policy can be viewed before installation of the app – it’s linked in the Google Play Store, but it isn’t accessible through the CloudPets-Website, the SpiralToys Website has a broken link. It is easily understood by 21 to 22 year olds (Flesch Kincaid Reading Ease). Under consideration of the fact, that children are using these toys (the minimum age for the registration process is 13), the privacy policy has a bad reading index.

Conclusion

This test is exemplary for many others. In fact, the security of the smart toy has been worked on and it improved. But too many vulnerabilities remain. So the online toy earns one out of three possible stars in our QuickTest. After the damage was done, customers paid the price for the manufacturers errors regarding privacy and security. Therefore the result of this test is anything but a recommendation of this product. Rather, the case of CloudPets shows that security must be taken into account when developing IoT devices. The mistake the developers of the CloudPets committed, is also done by many other manufacturers. Because their products are not made for children, they are not in focus. Parents and all other users of IoT devices, should ask for the security of products. Only if customers demand it, manufacturers will pay more attention to privacy, data protection and the security of their customers.