connected teddy bear outfit CloudPets
wat
As the world learns of its embarrassingly leaky customer database, internet-connected cuddly toy maker CloudPets is under further scrutiny. This time for not securing its gizmos against remote exploitation via the Bluetooth Web API. Basically, it is possible for a webpage to connect to CloudPets plushie, via Bluetooth in the …
Hmm, seems the bit I quoted was edited (clarified?) sometime after. I'm not questioning your choice of words, I'm merely remarking upon the absurdity of anyone running a business in that niche and by that name.
not-really-Anon because I wanted the icon
CloudPets appears to be a holding company, the actual company that made these little privacy nightmares are Spiral Toys:
http://spiraltoys.com/investor-info/#people
CEO: Mark Meyers
CTO: Jorge Freitas
There is absolutely no mention of this security nightmare on the CloudPets or Spiral Toys websites.
Those are the golden words that instantly make me put a company on my personal black list.
Congratulations, CloudPets, I will now and forevermore not only not purchase any of your products but I will additionally express my opinion of your shoddy handling of this issue to everyone within earshot.
Remember : mistakes can be forgiven, we are all human, but sweeping mistakes under the rug of silence cannot. That is a sign of a specific behavior : the inability to own up to one's mistakes. And if you can't own up, you'll never correct them.
"Congratulations, CloudPets, I will now and forevermore not only not purchase any of your products but I will additionally express my opinion of your shoddy handling of this issue to everyone within earshot."
Judging by the share price quoted in the original story, they may not be around long enough to suffer any consequences. If they do go under, I wonder how expensive those soon to be inert cuddly toys will seem? Although inert sounds a lot safer than the current situation, the owners are still going to feel ripped off.
They'll probably just seek consent through an obtuse set of Ts and Cs that you must agree to before you can use the toy.
Consent is supposed to be 'informed' so there may be an argument there but any penalty wouldn't be as much had they not sought any consent at all.
Under GDPR they may be open to larger fines but if they're in an non-EU country they'd probably just withdraw from the market rather than pay a fine.
These are located in "the entertainer" shops on the aisle directly opposite the till so are being actively pushed at the moment along with some glimmer toys with an annoying video that plays on motion detection. There a nice picture of dad telling the kids he's going to be late from work (Oh, the cliché)
What I want to know is,
Why has this not been reported by the general media?
Why have toy shops not stopped selling them?
They are clearly defective in the sense that they can be used by others to record audio from inside your house. While unlikely in general it only takes someone in a semi living next door to someone with this to start snooping.
I actually said to my partner when we saw them on Monday that it would be a cold day in hell before I buy one of those and I bet they get hacked. Took a day, well played cloud pets for fulfilling my expectations.
These are located in "the entertainer" shops on the aisle directly opposite the till so are being actively pushed at the moment
Just went on The Entertainer's website and found that all five variants of Cloud Pets are "out of stock" so maybe they have seen the story and have withdrawn them from sale. I'm not popping into my nearest Entertainer store to check if they are still on the shelves!
No obvious warning note on the website though, saying why they are no longer available or telling people to stop using them :-)
M.
While I can confirm that they appear to be currently out of stock on The Entertainer's website, it's also notable that the price is listed as £5.99 down from a scored-out £29.99- a massive reduction.
(The archive.org copy of the page confirms they *were* actually selling them at that price.)
So it's possible they genuinely are sold out because they were so cheap- but then, I'm curious as to why they'd have done *that* in the first place!
Scaremongering over the Bluetooth API is simply opportunistic agenda pushing; no better than criticism that a browser allows a web cam to be turned on when the user allows it to be turned on, accusing safety filters of not working when the user has explicitly disabled those, blaming a browser for allowing the upload of confidential files when the user decides to upload those files.
Presumably the gun, rope, pills or razor blade - or those who sell such things - are to blame when some poor sod decides to top themselves.
And I guess routers should not allow people to expose their networks to the public because bad things can then happen.
I can agree there are some people who need help protecting themselves from themselves but that does not mean we need wide sweeping nanny-statism which prevents those who understand what they are doing from doing that. Just because El Reg doesn't like it doesn't mean that others don't.
About the webcam: the browser can get pwned meaning that the pop-up asking for permission might not appear.
About the Bluetooth API: As you can see here, a malicious web page can connect to remote devices and use them to obtain data. Obviously the paw pair confirmation thing was broken (it didn't do anything, and it takes a stupid kind of bastard to say that's OK, ship it, stupid because he's going to get caught out), but there are plenty of Bluetooth devices around where you can tell the product from its address and protocols and feed it the default pairing PINs or take advantage of exploits.
The browser needs to get back in its sandbox.
This post has been deleted by its author
"I have two of these cuddly-toy-becomes-eves-droppers and to be honest I really couldn't care less. "
Really, and when the "sad-o" tells your children that mummy and daddy don't love them anymore and that the only person to trust is Uncle Ernie who is sitting outside in his van with some nice sweets? He'll know exactly the right moment to get in touch because he'll have heard your child having a tantrum and screaming "I hate you!"
"Scaremongering over the Bluetooth API is simply opportunistic agenda pushing;"
<sigh> You may want to acquaint yourself with the facts before dismissing the valid security concerns over these things. The makers of the Cayla doll responded much as you have, complacently. Fortunately Germany takes these issues more seriously and the obnoxious doll has been removed from sale (in Europe at least). See this link for an overview of the isues:
Cayla was an insecure Bluetooth headset disguised as a doll. However hacking Cayla could lead to the doll being used to groom children, abuse them (as in cyber bullying), estrange the children from their parents and to steal information that could be used for other purposes. If you think having someone spy on you in your own home isn't a bad idea, consider if you ever read out your payment card details within hearing range of a device.
You also shouldn't be making casual assumptions about your child's right to privacy.
Here's a description of the issue with Cayla and other listening devices:
Here's a BBC item about the same:
"I can agree there are some people who need help protecting themselves from themselves but that does not mean we need wide sweeping nanny-statism..."
Let's sit down sometime and have a good long talk about what human beings need and about how some desperate silicon pushers --who naturally need to keep selling ICs or else find they are milking a dry cow and maybe even have to write off all that preparation and experience and whatever all those patents might be worth-- are reaching new lows all the time.
"Now, you needn't have studied marketing to know that there are two groups of people who can always be convinced to consume more than they need to: addicts and children. School has done a pretty good job of turning our children into addicts, but it has done a spectacular job of turning our children into children. Again, this is no accident..." --John Taylor Gatto, Against School
"Scaremongering over the Bluetooth API is simply opportunistic agenda pushing;"
I've come back to this because it's still annoying me. This wasn't scaremongering over the Bluetooth API as such, it's a discussion of the flaws that were introduced by a manufacturer's implementation of security. From the article:
"Basically, it is possible for a webpage to connect to CloudPets plushie, via Bluetooth in the computer or handheld viewing the page, without any authentication"
You see that part in bold? That's the important detail, no authentication required. This is a common failing in the Internet of Toys domain, the manufacturers do not provide even the most basic security measures. It's an implementation issue.
I've come back to this because it's still annoying me. This wasn't scaremongering over the Bluetooth API as such
Except for the sub-headline; "Warnings about leaky Bluetooth Web API all-too-accurate".
That appears to me to suggest the Bluetooth Web API is at fault here.
From the article: "Basically, it is possible for a webpage to connect to CloudPets plushie, via Bluetooth in the computer or handheld viewing the page, without any authentication"
Yes; and that's a failure of authentication, not a failure of the Web Bluetooth API. I would refer you to the post below from pdjstone; "Author of the blog here ... I don't think there's anything particularly bad about Web Bluetooth itself (Chrome pops up a prompt and the user has to explicitly choose a device to connect to)".
There is no automatic means for a web page to automatically connect to any Bluetooth device, including CloudToy. That requires human intervention.
There is already excellent advice available about what to do.
You can skip to point 6 in that. Straight away.
My kids know how Google, Facebook and other similar outfits make their money from a very early age.
It is the same education our parents gave us regarding what to do about a strange man giving out sweets to children in the park. Just for the digital age - using Google and Facebook as prime examples.
Author of the blog here - just to be clear the Unicorn itself doesn't use Web Bluetooth. It uses regular Bluetooth LE. I don't think there's anything particularly bad about Web Bluetooth itself (Chrome pops up a prompt and the user has to explicitly choose a device to connect to), I simply used it as a quick and fun way to demonstrate the vulnerabilities in the toy.
> Chrome pops up a prompt and the user has to explicitly choose a device to connect to
But isn't "the user" in that statement the Bad Man? So presenting him with a prompt and a choice of delicious low-hanging fruit is hardly any form of security.
"Bluetooth LE typically has a range of about 10 - 30 meters"
No it doesn't. Class 1 industrial use has a typical range of 20-30m, class 2 use as seen in pretty much all mobiles, toys, and so on, is typically no more than 5-10m, with 30m being the absolute maximum under ideal conditions. Someone connecting to a child's toy at long range from outside your house is effectively impossible. Even connecting to one from the other side of a room is likely to be pushing it most of the time. There's a reason the video shows someone sitting next to the toy with his laptop
This kind of unsecured bluetooth might be useful for targeted attacks, but no-one is going to be driving around the neighbourhood trawling for bluetooth connections since, unlike wifi, they'd never be able to find a signal strong enough. Connecting from some other compromised device that spends time nearby could work, but at that point you'd probably have the relevant credentials anyway if you actually needed them.
Someone connecting to a child's toy at long range from outside your house is effectively impossible.
I am not convinced of that. Not sure what 30 metres is in El Reg units, but it's about 100 foot in old money. I worked with BT/BLE and our scanning application using an off-the-shelf Bluetooth dongle detects neighbour's equipment three doors down and people walking past the office.