IoT of toys stranger than fiction: cybersecurity and data privacy update

Next story
ESET Internet of Stranger Things survey with ESET and National Cyber Security Alliance.
ESET Senior Security Researcher Stephen Cobb

Privacy breaches and cybersecurity failures are becoming – it pains me to say – all too commonplace. However, that doesn’t mean some of them are not uncommonly strange, involving circumstances so odd they are almost unbelievable. Consider the following tale of two images (which may be worth more than two thousand words).

The striking image (above, left) was created last year by ESET for an infographic about the Internet of Things or IoT. You can see a bunch of different “things” that could potentially be connected to the internet, from an automobile to home appliances, from wearable devices to a teddy bear (and if you think this particular teddy looks a little sinister, that’s thanks to the skill of this particular artist). 

The infographic itself, to which there is a link at the end of this article, display the results of a survey that ESET carried out last October in conjunction with the National Cyber Security Alliance. The goal was to assess consumer attitudes to the IoT (as you may know, October is National Cybersecurity Awareness Month). Because the survey results were published later in the month, close to Halloween, and the science fiction-horror series Stranger Things had become quite popular, ESET thought that “Internet of Stranger Things” would be a nice twist to put into the title of the resulting infographic (hence teddy’s intentionally sinister look).

Now checkout the image on the right. This is an actual toy, sold in America, that connects to the internet, namely a CloudPet (a brand owned by California-based Spiral Toys). This toy, which can record, send, and receive voice messages over the internet, has been in the news lately, but for all the wrong reasons.

First, there are the hundreds of thousands of customer records found stored on the web in a way that exposed them to anyone curious enough to look for them. Then there are the two million recorded voice messages, often very personal messages between children and parents, that were exposed for an extended period of time to anyone with basic skills, despite numerous warnings to the company about this problem. Here is how security researcher Troy Hunt put it in his lengthy but truly excellent blog post:

“By now it’s pretty obvious that multiple parties identified the exposed database, it remained open for a long period of time and it exposed some very personal data. It would be a safe bet to assume that many other parties located and then exfiltrated the same data because that’s what people do; scanning for this sort of thing is enormously prevalent and that data – including the kids’ and parents’ intimate audio clips – is now in the hands of an untold number of people.”

That is Troy’s emphasis, and he goes on to say “But it gets worse again” because not only was data from the toys and their owners badly handled and poorly protected by a company that did not respond to multiple warnings that this was indeed the case, but as his research shows this: “CloudPets data was accessed many times by unauthorized parties before being deleted and then on multiple occasions, held for ransom.”

And if you were thinking this could not get even worse, and truly scary like the teddy bear in the “stranger things” graphic, you’d be wrong, as I will explain in a moment. But first consider this finding from the ESET/NCSA survey: “More than 40 percent of Americans are not confident that IoT devices are safe and secure, with more than half of people indicating they were discouraged from purchasing an IoT device due to cybersecurity.” And 36 percent were very concerned about the privacy and security of children that use '"smart-toys."

In other words, companies who are making internet connected devices are already on notice that there is skepticism and concern about their security and the privacy of personal information that they process. We have seen poor security affecting connected toys before, as in the VTech case. I have previously written about security risks related to wearables and connected/autonomous vehicles. And to say that voice-activated connected devices may cause unexpected side effects is clearly an understatement.

What ties all of these things together – besides the internet – is the fact that too many people who make technology are also making poor decisions about technology risks. Those poor decisions lead to problems, not just for the unwitting consumers that buy the poorly secured products, but also for the wider digital ecosystem. Consider the massive Distributed Denial of Service (DDoS) attack on October 21 of last year. That resulted in lost revenue and unbudgeted costs for hundred of companies, and it was made possible by insecure IoT devices. How long before an attack of this type impacts patient care in the increasingly connected medical world of electronic health records?

And when you hear about devices giving up the secrets of their users like these cuddly toys did, you have to ask how long before patient fears around privacy loss due to weak security lead to the rejection of connected monitoring and treatment devices, undermining the much anticipated benefits of telemedicine? That day may come sooner than you think, because as I said, the CloudPets story gets worse. It turns out that, due to design flaws and poor risk assessment, these things can be turned into spying devices, as described in this article and also here. While could say “they’re just toys,” it is not hard to see that a string of cases like this could seriously undermine the public’s faith in more critical digital technology, an outcome with potentially dire economic consequences.

For the full “Internet of Stranger Things” infographic and tips for securing the IoT, click here.