User topics

Article topics

Log in Sign up

Two million recordings of families imperiled by cloud-connected toys' crappy MongoDB

Two million voice recordings of kids and their families were exposed online and repeatedly held to ransom – because an IoT stuffed-toy maker used an insecure MongoDB installation. Essentially, the $40 cuddly CloudPets feature builtin microphones and speakers, and connect to the internet via an iOS or Android app on a nearby …

COMMENTS

Post your comment

House rules Send corrections

Add to 'My topics'

Page:

Tuesday 28th February 2017 03:15 GMT redpawn

Think of the Children

Think how children would suffer if they didn't have the opportunity to be spied upon like their parents. Many adult toys can spy on you such as cars, tablets phones etc. A childhood without a taste of adult experience would leave them unprepared for their dystopian future.

25 0 Reply
1. Tuesday 28th February 2017 08:58 GMT Warm Braw
  
  Re: Think of the Children
  
  Far more entertainingly, think of the opportunity to add your own messages to the database to be played back to unsuspecting children and parents alike.
  
  19 1 Reply
  1. Tuesday 28th February 2017 11:09 GMT Lotaresco
    
    Re: Think of the Children
    
    "Far more entertainingly, think of the opportunity to add your own messages to the database to be played back to unsuspecting children and parents alike."
    
    Someone has not just thought about it, they did it. The Cayla doll was hacked (easily) to make it a curse monster.
    
    Note that one of the really bad things about this is that the developers of Cayla put some thought into censoring Zuckerberg style the conversations that Cayla could have with a child, forbidding any mention of gay marriage for example, but couldn't be bothered to secure their trash-talking conduit to prevent someone "grooming" the child.
    
    I see you got a downvote, no idea why. Have an upvote to compensate.
    
    10 0 Reply
    1. Tuesday 28th February 2017 19:32 GMT BillG
      
      Child Neglect, Depraved Indifference, etc.
      
      Child Neglect, at the very least, comes to mind. Depraved Indifference is a charge that could easily stick.
      
      An example must be made. People at CloudPets must go to jail.
      
      1 1 Reply
2. Tuesday 28th February 2017 16:39 GMT ForthIsNotDead
  
  Re: Think of the Children
  
  "For example, a parent away on a work trip can open the CloudPets app on their smartphone, record an audio message, and beam it to their kid's toy via a tablet within Bluetooth range of the gizmo at home; the recording plays when the tyke press a button on the animal's paw."
  
  Or they could just call them on the fucking phone.
  
  14 1 Reply
  1. Tuesday 28th February 2017 16:45 GMT Lotaresco
    
    Re: Think of the Children
    
    "Or they could just call them on the fucking phone."
    
    Wouldn't that qualify as paedophilia and incest?
    
    1 0 Reply
    1. This post has been deleted by its author
  2. Thursday 2nd March 2017 19:00 GMT Kiwi
    
    Re: Think of the Children
    
    Or they could just call them on the fucking phone.
    
    Or they could buy their pre-school kids a special toy where the kids can learn how to use very simple buttons to hear from dad/mum and leave a message for dad/mum.
    
    A phone is nothing special. But making teddy talk?
    
    (Ideally, the toy would have reasonable security behind it and a manufacturer who, if they screw up, admit it and deal with it quickly rather than trying to deny it when the stolen info is probably on TPB et al by now)
    
    [12hrs after original post - dunno how but I replied to and quoted the wrong message in my original post...]
    
    1 0 Reply
3. Tuesday 28th February 2017 20:52 GMT Anonymous Coward
  
  Re: Many adult toys can spy on you such as cars, tablets phones etc.
  
  Wait, what? Do we have the same concept of "adult toys"? Even if they have patented round corners, these may not be er, fit for purpose.
  
  5 0 Reply
  1. Thursday 2nd March 2017 06:45 GMT Kiwi
    
    Re: Many adult toys can spy on you such as cars, tablets phones etc.
    
    Wait, what? Do we have the same concept of "adult toys"? Even if they have patented round corners, these may not be er, fit for purpose.
    
    Dunno.. Mate of mine said his x-missus could easily qualify as a "lose cannon"...
    
    1 0 Reply
Tuesday 28th February 2017 03:22 GMT Suburban Inmate

Face. Fscking. Palm.

For the sheer predictability of this omnishambles that was clearly obscured by dollar signs in the eyes of whoever signed off on the Bad Fucking Idea.

I haven't caused any kids, but if I had I'd never let anything like this anywhere near them.

13 0 Reply
1. Tuesday 28th February 2017 11:04 GMT Lotaresco
  
  Re: Face. Fscking. Palm.
  
  "I haven't caused any kids, but if I had I'd never let anything like this anywhere near them."
  
  What's irritating is how far back the warnings about Internet of Toys go back[1]. And even more scary is that their are fools out there using "Adult Toys" that connect to the internet without any form of security.
  
  [1] As others have pointed out the warnings go all the way back to the 1950s when science fiction authors thought about the implications of information technology and connectivity for toys.
  
  6 0 Reply
2. Tuesday 28th February 2017 11:36 GMT Mephistro
  
  Re: Face. Fscking. Palm.
  
  "I haven't caused any kids..."
  
  I thnk the correct word in this context is "perpetrated".
  
  2 0 Reply
3. Thursday 2nd March 2017 06:48 GMT Kiwi
  
  Re: Face. Fscking. Palm.
  
  I haven't caused any kids, but if I had I'd never let anything like this anywhere near them.
  
  Most parents wouldn't let something near their kids that they believe is a serious risk. I can bet if you did have kids you'd probably have something near them without giving it a thought that others would make sure never got near their kids.
  
  2 0 Reply
Tuesday 28th February 2017 03:50 GMT a_yank_lurker

Incompetence

The sheer stupidity of essentially no security is mind boggling. With this lack of security the backed db does not matter because there are far deeper design problems.

8 0 Reply
1. Tuesday 28th February 2017 11:24 GMT Anonymous Coward
  
  Re: Incompetence
  
  Yeah but... on the plus side, their backup regime is excellent as, clearly, they were able to restore after each wipe. ;-)
  
  15 0 Reply
2. Tuesday 28th February 2017 12:22 GMT Just Enough
  
  Re: Incompetence
  
  What's particularly gob-smacking is that apparently their data has been already hijacked 3 times for ransom. Why did they make no attempt to fix the situation the first, second or third times?
  
  'Hey boss, it's happened again!'
  
  'Oh FFS! Give them the money!'
  
  'Ok. We look at securing the database now?'
  
  'No. The chances of this happening yet again must be astronomical!'
  
  21 0 Reply
  1. Tuesday 28th February 2017 12:25 GMT Boothy
    
    Re: Incompetence
    
    There was no mention of paying the ransom, so I'm guessing they just restored from a backup each time (as mentioned in the joke above).
    
    3 0 Reply
    1. Tuesday 28th February 2017 15:45 GMT Bandikoto
      
      Re: Incompetence
      
      The data sounds ephemeral, so to speak. The cloud store exists to pass it along to the target device at the home where the toy lives. Had the black hats been more aggressive, I can just imagine little Sophia asking "Mommy, what does 'exsanguinate' mean?"
      
      0 0 Reply
    2. Wednesday 1st March 2017 00:10 GMT John Brown (no body)
      
      Re: Incompetence
      
      "There was no mention of paying the ransom, so I'm guessing they just restored from a backup each time (as mentioned in the joke above)."
      
      No. The ransom is cheaper than paying for proper backups. They are relying on anonymous others to take the backups on their behalf. Pay as you go restore backups.
      
      0 0 Reply
  2. Tuesday 28th February 2017 13:58 GMT dgc03052
    
    Re: Incompetence
    
    "Why did they make no attempt to fix the situation the first, second or third times?"
    
    Your imagination just isn't up to the level of incompetence out in the field. They probably have something hard coded into the bears or apps that are out in the field... We just haven't heard about it because it doesn't happen with every access, just something like initial setup or reset (and seriously, why spend more time investigating their level of security).
    
    0 0 Reply
3. Tuesday 28th February 2017 20:50 GMT Anonymous Coward
  
  Re: Incompetence
  
  The sheer stupidity of essentially no security is mind boggling. With this lack of security the backed db does not matter because there are far deeper design problems.
  
  Oh, I think that designing it properly or hiring someone knowing something about security would, you know, cost money, so no way we're doing that....
  
  0 0 Reply
Tuesday 28th February 2017 04:52 GMT P. Lee

But it's Cloud!

Doesn't that mean security is someone-else's problem?

I don't think I'd have deleted the data - it clearly has little value.

I think I'd have threatened to modify the recordings.

Grandma will be most surprised at little Tyke's vocabulary.

Cue sue-balls.

Far more effective than holding Tyke's message to ransom.

18 0 Reply
1. Tuesday 28th February 2017 10:52 GMT Anonymous Coward
  
  Re: But it's Cloud!
  
  I remember a sci-fi story (forget its name) where every child has a talking teddy that teaches them right from wrong, preventing crime..... One boys is reprogrammed by his father so the kid can be used to kill...
  
  Can you imagine a little kid where the teddy whispers to them dark thoughts as they play.... scary
  
  5 0 Reply
  1. Tuesday 28th February 2017 14:23 GMT DNTP
    
    Re: But it's Cloud!
    
    Harry Harrison's "I Always Do What Teddy Says"
    
    Somehow it seems that I've been posting comments relating to this story a lot more in the last two years, children's toys are probably beyond the line where the current IoT craze should have stopped.
    
    11 0 Reply
    1. Tuesday 28th February 2017 23:12 GMT Martin an gof
      
      Re: But it's Cloud!
      
      Harry Harrison's "I Always Do What Teddy Says"
      
      The flip side of that is A Young Lady's Illustrated Primer in Neal Stephenson's The Diamond Age, a book which also contains somewhat sophisticated 3D printers...
      
      M.
      
      1 0 Reply
Tuesday 28th February 2017 05:52 GMT MrDamage

If

A security breach researcher can picture his daughter using a web-connected teddybear, I have strong doubts that he is actually a security breach researcher.

16 3 Reply
Tuesday 28th February 2017 07:08 GMT allthecoolshortnamesweretaken

And this, Charlie Brown, is what "cloud" is all about.

Solutions looking for problems, with the added bonus of crappy security and new attack surfaces.

As a side note, about the "it's hard to picture a more innocent scenario" bit - anyone who thinks that four year old girls are harmless hasn't been to kindergarten.

24 1 Reply
Tuesday 28th February 2017 07:31 GMT Mark 85

Show of hands.... anyone surprised by this?

13 0 Reply
1. Tuesday 28th February 2017 10:54 GMT Lotaresco
  
  "Show of hands.... anyone surprised by this?"
  
  Not when Pen Test Partners have been briefing about these vulnerabilities since 2014.
  
  They have some sensible advice about Cloud Pets on their website.
  
  6 0 Reply
  1. Tuesday 28th February 2017 12:10 GMT Anonymous Coward
    
    "Not when Pen Test Partners have been briefing about these vulnerabilities since 2014.
    
    I have an indelible recollection from 35 years ago of a friend's 2 year old daughter confiding secrets to her doll.
    
    It doesn't take much imagination to see the dangers there.
    
    5 0 Reply
  2. Tuesday 28th February 2017 14:19 GMT CrazyOldCatMan
    
    They have some sensible advice about Cloud Pets on their website.
    
    Does it involve incineration, use of a lupara at short range or copious amounts of gunpowder?
    
    3 0 Reply
Tuesday 28th February 2017 07:32 GMT WibbleMe

How exactly is MongoDB crap if the developer failed to secure it? The fact that you get warning messages in the MongoDB log file about it not being secured should be a giveaway.

https://docs.mongodb.com/manual/administration/security-checklist/

2 16 Reply
1. Tuesday 28th February 2017 07:44 GMT Phil O'Sophical
  
  Yes, we all know everyone checks then logfiles to see if they've made a mistake when otherwise the system seems to be working perfectly.
  
  Any product that isn't secure out of the box when installed is unfit for purpose. If the developer has that cavalier an approach to security in general, what hope is there that the rest of the security "features" have ever been tested?
  
  21 0 Reply
  1. Tuesday 28th February 2017 10:46 GMT HieronymusBloggs
    
    "Any product that isn't secure out of the box when installed is unfit for purpose."
    
    A developer who ignores basic security is unfit for purpose IMO. This is presumably someone who does this for a living, not just some random member of the public.
    
    2 4 Reply
2. Tuesday 28th February 2017 08:26 GMT Hans 1
  
  The whole point is, there are IT admins and devs that are useless.
  
  The lack of hardening of the MongoDB sais it all about the IT team.
  
  The fact that they were saving recordings in WAV says it all about the devs, really, what a bunch of useless morons.
  
  I would fire the entire dev/IT team if I were in charge of that toy outfit, I would name and shame the guyz on the Internet, never to find a job in IT again.
  
  MongoDB could have provided idiot-proof defaults, then again, MongoDB have decided NOT to cater for idiots, that is their call.
  
  Log files is good, RTFM is much, much better ...
  
  The good news in all this, we get to:
  
  1. Know about data slurped by toy manufacturers being stored in the cloud .... for no obvious technical reason. The masses will probably react at some point ....
  
  2. Have a new company to add to our CV-scanner's blacklist
  
  3 5 Reply
  1. Tuesday 28th February 2017 09:35 GMT Doctor Syntax
    
    "I would fire the entire dev/IT team if I were in charge of that toy outfit"
    
    Those in charge are equally guilty. Either they paid no attention at all or ignored the risks. If you'd been in charge you should have been fired as well.
    
    10 0 Reply
  2. Tuesday 28th February 2017 09:52 GMT pop_corn
    
    > "I would name and shame the guyz on the Internet, never to find a job in IT again."
    
    Right because you've never made an IT mistake, and all the rest of us are perfect programmers too, who sprang into the world with all the knowledge we have now?
    
    People learn far more from their mistakes than successes. Sure fire the IT dept, but can bet your boots those guys/girls won't make the same mistake twice. To suggest that for 1 mistake someone should lose their career, livelihood, then possibly their house and wife, is ridiculous.
    
    7 4 Reply
    1. Tuesday 28th February 2017 12:03 GMT Alister
      
      People learn far more from their mistakes than successes. Sure fire the IT dept, but can bet your boots those guys/girls won't make the same mistake twice.
      
      Except in this case, they obviously have, not once, but multiple times. Their databases have been deleted on several occasions, and replaced with warning messages, and they have had to restore the databases each time, and yet apparently, at no stage did they wonder why this was happening, or investigate ways to stop it.
      
      9 0 Reply
      1. Tuesday 28th February 2017 12:37 GMT Boothy
        
        Quote: People learn far more from their mistakes than successes. Sure fire the IT dept, but can bet your boots those guys/girls won't make the same mistake twice.
        
        Except in this case, they obviously have, not once, but multiple times. Their databases have been deleted on several occasions, and replaced with warning messages, and they have had to restore the databases each time, and yet apparently, at no stage did they wonder why this was happening, or investigate ways to stop it.
        
        They are most likely different people/teams. The devs were probably hired to build the system, and have likely long since gone. Being replaced by a likely cheaper support team (or person), who probably doesn't know much about MongoDB itself.
        
        4 0 Reply
    2. Tuesday 28th February 2017 12:11 GMT DropBear
      
      "...then possibly their house and wife, is ridiculous."
      
      What sort of toxic environment has this site become to insinuate that only males (and homosexual females) could possibly be at risk and/or own a house, in such a grossly sexist manner?!? Outrage!!! /s
      
      5 0 Reply
    3. Thursday 2nd March 2017 06:58 GMT Kiwi
      
      but can bet your boots those guys/girls won't make the same mistake twice.
      
      I dunno.. Reading the article.. Seems like they made the mistake a few times over.....
      
      (I do agree with your post though, have an upvote)
      
      1 0 Reply
  3. Tuesday 28th February 2017 14:21 GMT CrazyOldCatMan
    
    I would fire the entire dev/IT team
    
    I think "sue the company into non-existance" would send the correct message.
    
    7 0 Reply
  4. Tuesday 28th February 2017 15:16 GMT Anonymous Coward
    
    Log files is good, RTFM is much, much better ...
    
    Making it just work securely without the need to read either logfiles or TFM is better still.
    
    2 0 Reply
3. Tuesday 28th February 2017 08:48 GMT Anonymous Coward
  
  How exactly is MongoDB crap?
  
  How exactly is MongoDB crap if the developer failed to secure it? The fact that you get warning messages in the MongoDB log file about it not being secured should be a giveaway.
  
  MongoDB should have been designed for human beings to use, not the other way round - human beings should not have to be redesigned to safely use MongoDB. It is human nature to look for shortcuts, including not wading through log files and voluminous documentation if everything looks fine. If a product fails because the user doesn't do something, or does it wrong, then it should fail safely.
  
  12 0 Reply
Tuesday 28th February 2017 08:52 GMT Version 1.0

My ten cents...

This is not a surprise - think about how products are developed, manufactured and sold these days:

Someone knocked up a demo using an Arduino or similar, showed it to the boss who took it and ran with it, management saw potential and the development and marketing team was assigned. They simplified the whole thing, shipped the design offshore to be built really cheaply. The toy sells for $20 so the manufacturing and support cost is probably about $7 - back end IT support is probably seeing about 1% of that.

Just how much security does 10 cents buy you?

10 0 Reply
Tuesday 28th February 2017 08:56 GMT Anonymous Coward

SQL 2000 had a blank password for the 'sa' admin too

Looks like MongoDB is partying like it's 1999.

9 0 Reply
Tuesday 28th February 2017 09:02 GMT Haku

The rush to bring a product to market overlooked security?

No surprises there.

On a similar note it's probably about time encryption was introduced as a standard to the radio control hobby market, because it's apparently fairly easy to hijack someone's drone if you have the right kit with a bit of knowledge, and it wouldn't surprise me if someone decides they can make some money selling an easy to use drone hijacking device.

There would be a danger it's a run-of-the-mill ~1kg camera drone being operated in the vicinity of pedestrians (which it probably shouldn't be), but could be so much worse if the drone in question were a large hexacopter / octocopter capable of carrying cinema quality cameras that weighs many kilos and can cost 10's of thousands.

2 1 Reply
Tuesday 28th February 2017 09:06 GMT Mage

Mongo DB is irrelevent

Toys that connect to the internet at all should be illegal. Possibly they are

Vtech gadgets

Mattel: Been fined for website privacy of children users, never mind talking barbie

others

This is now common.

6 3 Reply
1. Friday 3rd March 2017 22:16 GMT Kiwi
  
  Re: Mongo DB is irrelevent
  
  Toys that connect to the internet at all should be illegal.
  
  Why? While it would pretty much remove the need for IPv6¹ and get rid of the vast majority of trash², what would making them illegal solve?
  
  ¹ For a great many people, their laptops, cellphones, computers, tablets etc are little more than "toys". If "all toys" were no longer allowed to connect to the internet, we'd see the end of probably the majority of home internet connections, thus a massive opening up in the availability of IPv4 addresses, and probably a significant drop in the number if ISPs as well. And yes, my home computing devices are "toys". If not, they would be "work" and therefore would not be "home" devices.
  
  ² Trash like malware, 85% of social media, 95% of youtube, 99.999999% of youtube comments....
  
  1 0 Reply

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Other stories you might like

Couchbase takes fight to MongoDB with columnar side store upgrade

DBaaS update aimed at customers looking for live analytics on apps

Databases 28 Nov 2023 |

MongoDB promises to keep its hands off application building

Yet history tells us it's an ever present temptation to grab greater chunks of the stack

Databases 3 Oct 2023 | 1

MongoDB's SQL-to-NoSQL converter uses AI to smash the language barrier

Tell it what you want to do, and it spits out the relevant code

Databases 27 Sep 2023 | 7

Putting LLMs into production is a monumental task – vector databases could light the way

MongoDB joins joins Cassandra, PostgreSQL and SingleStore in implementing AI-friendly features

AI + ML 11 Jul 2023 | 1

FerretDB 1.0 offers fresh approach to open source document databases

How to PostgreSQL MongoDB out of the equation

Databases 14 Apr 2023 | 7

MongoDB wants to grab work from other databases

Analysis Goal is to bring analytics to its transactional workloads but there are places where this might fall short

Databases 13 Jun 2022 | 4

MongoDB announces columnstore indexing for its document database

Boost to in-database analytics should help replace some human decision-making, vendor claims

Databases 7 Jun 2022 | 1

Rows, columns, and the search for a database that can do everything

Analysis Snowflake last week promised analytics and transactions in the same system. For some it was déjà vu all over again

Databases 22 Jun 2022 | 6

Percona launches management system aimed at open-source databases

Percona Live PostgreSQL, MongoDB, MySQL tools for overly busy DBAs, less experienced devs

Databases 17 May 2022 |

The Register Biting the hand that feeds IT

About Us

Our Websites

Your Privacy

Situation Publishing

Copyright. All rights reserved © 1998–2024