Spiral Toys — a division of Mready, a Romanian electronics company that lost more than 99% of its market-cap in 2015 — makes a line of toys called "Cloudpets," that use an app to allow parents and children to exchange voice-messages with one another. They exposed a database of millions of these messages, along with sensitive private information about children and parents, for years, without even the most basic password protections — and as the company imploded, they ignored both security researchers and blackmailers who repeatedly contacted them to let them know that all this data was being stolen.
Even as the millions of records were stolen and shared online, the company was fielding its last-ditch, hail-mary product: an Internet of Things piggybank (it flopped).
Breach researcher Troy Hunt (proprietor of the essential Have I Been Pwned service), discovered all this by poring through the leaked data that his sources came to him with, finding ransom notices from multiple, independent criminal gangs who had stolen the company's user-records and were seeking hush money not to release them.
This is the latest in a series of high-profile breaches and security revelations about "connected toys": most recently, the German government advised people to destroy Cayla, an internet-connected doll that could be converted into a covert listening device; in 2015, the Hong Kong kids' crapgadget empire of Vtech was shaken by the revelation that the company had lost 6.3 million customers' data, then lied about it, then changed its EULA to make you agree not to sue them over it, then tried to pivot into the home security market (!); then the Hello Kitty website was revealed to have leaked 3.3 million kids' data; then we learned that Hello Barbie sent recordings of your children to a notorious military contractor.
As I've argued before: there is no IoT business model. Hardware starts at a 2% margin and falls from there. IoT companies get capital by promising to monopolize an "ecosystem" — controlling app stores, service, parts, and consumables, and by collecting as much data as possible in case they might get an exit by selling the company to someone who wants access to it. These firms have no incentive to invest in any but the most cursory security measures (because by the time a breach occurs, they will either be a division of a larger company or out of business), and anything they spend it money they can't use to keep the doors open while they look for an exit or a profit.
The best way to monopolize ecosystems is by using DRM. Laws like Section 1201 of the DMCA make it a felony to break DRM, even for a legal purpose. By designing a product so that using someone else's apps, or parts, or consumables, requires breaking DRM, you can turn these otherwise normal, legal, competitive activities into felonies.
And because courts have interpreted DMCA 1201 as a ban on reporting security vulnerabilities (because telling someone about a defect in DRM helps them figure out how to defeat it), the devices that are designed to be as insecure as feasible, as spying as possible, and to treat their owners as their enemies are no-go zones for prudent security researchers.
Spiral Toys is the beginning, not the end.
Like the earlier image, these are yet more indicators of compromise (IOC) consistent with the ransom demands that were going around for MongoDBs in early Jan. Niall called them out later that month as part of his commentary on how the whole saga was unfolding:There were many malicious parties taking action against exposed databases during this period and we frequently saw the same system accessed multiple times by different actors, each demanding their own ransom. It wasn't until Jan 13 that Shodan reported no publicly accessible databases remained on CloudPets' IP Address.
The CloudPets data was accessed many times by unauthorised parties before being deleted and then on multiple occasions, held for ransom.
Data from connected CloudPets teddy bears leaked and ransomed, exposing kids' voice messages
[Troy Hunt]
