For anyone who is coming straight to the comments before reading the article: the details are even worse than the headline suggests.
Not only was a huge amount of information exposed through a public, unauthenticated MongoDB instance, and not only did CloudPets ignore multiple security researchers' attempts to alert them to the problem, but the database was actually held for ransom multiple times without customers being alerted to the breach.
This is _insane_. My daughter got a surprise cloudpet for her birthday from a distant relative. The app you have to use with the cloudpet is also filled with ads, some of which are of adult nature. This company is sleazy as hell. I hope they get sued out of existence.
They basically failed out of existence before this even happened (the article includes details on their share price sliding to nothing earlier last year), which is probably one reason they didn't bother telling customers about it. This is probably the best example I've ever seen of the dangers of trying to keep a service running once the company behind it has gone under.
From what I've seen, a lot of of those MongoDB ransomwares actually just delete the data and leave a ransom note in the hope of getting free bitcoin. So in a sense they've done some good by removing it from the internet.
A guy I work with did a presentation on this product, he is big into reverse engineering bluetooth devices. I can assure you the toys themselves are just as insecure as apparently their infrastructure is.
Seeing it light up and say "destroy all humans" was pretty funny, moreso because there is pretty much zero authentication on them so you could do it from anywhere from your mobile, and the mic can turn on and record without any authentication at all.
I took a grad course last semester where one of the groups analyzed a Nest cam and the other analyzed the Mother sensor device. Both were surprisingly quite secure, especially the Mother, which had security features all the way down the stack.
Meanwhile police in a murder case are preparing to take Amazon to court for Echo records. On the privacy front, there's just no saving people, but the IoT brings the magic of invading privacy together with furnishing botnets with millions of new bots!
We're screwed coming and going, and the vast majority still look at you like a woodland hermit if you suggest that you shouldn't have anything listening to you in your home.
I wonder how much infrastructure is really required to properly support Alexa like capabilities for an individual. Does Amazon really need all of our recordings on their hardware in their data centers? Is it conceivable that we could own that hardware as well?
I realize that training data is important and I assume the recorded data gets used for that purpose but does Amazon need to keep it forever? How long do they need it? Can I own and posses the hardware and pass off the learning alone?
What's wrong with the police requesting Echo records? Surely the Echo records requests you make to it. No different than Google recording your search history. And it's pretty reasonable for the police to want to look at that in a murder case. And they got a warrant. I don't see anything sinister in this case at all.
I'll be putting out our blog post about this first thing tomorrow (we had it ready to go for next week, but I think now's a good time to add some fuel to the fire). Essentially the toy uses Bluetooth LE very insecurely and it has a speaker and a microphone. Guess what happens next?
Reading and fully comprehending the full contents and implications ofhttps://twitter.com/internetofshit should be required for anyone who is thinking about making an IOT type device.
I do agree that lots of IoT products have terrible security, but is having insecure bluetooth or the likes really a terrible thing for most of these types of products?
I understand that this leak is related to mongodb... and that is terrible, but mostly referring to your bluetooth example.
I mean take bluetooth headphones they are notoriously insecure, but the range in which eavesdropping could take place is pretty small, and for most of us you would just be eavesdropping on our annoying music. Seems reasonable that they save bandwidth on secure transmission of data for higher audio quality. That said I could see an argument the other way, but I'm sure there are more examples where it doesn't seem like a big deal. It would be interesting to hear from someone who thinks I'm dead wrong.
> Seems reasonable that they save bandwidth on secure transmission of data for higher audio quality.
Encrypting a compressed audio stream does not add to the bandwidth, aside from the initial key negotiation.
Furthermore, the bandwidth required for audio of a quality that's indiscernible from the original is negligible when compared to the bandwidth of Bluetooth radios. Ridiculously good audio is 320 kbps, and Bluetooth is easily good for 25 Mbps.
I suppose you could argue that the battery power used to perform this computation is the limiting factor, but a good embedded DSP used to perform the recording and transmission typically have tiny power requirements and hardware encryption routines that don't significantly change the power requirements of the device, as compared to keeping a blue LED blinking or powering an earbud speaker.
No, let's be honest here. The actual limiting factor is engineering time and money that goes into developing these devices as quick and cheaply as possible.
If your threat model for your Bluetooth keyboard doesn't involve, say, an abusive spouse sniffing traffic to see if you're reaching out for help, your threat model is probably biased in favour of wankery like the NSA and not real threats ordinary people face.
> The Germans had a good point: kids' toys which record their voices and send the recordings up to the web pose some serious privacy risks. It's not that the risks are particularly any different to the ones you and I face every day with the volumes of data we produce and place online (and if you merely have a modern phone, that's precisely what you're doing), it's that our tolerances are very different when kids are involved
It's a bit paradoxical. There are way less things a kid can say that can get him in trouble than an adult. Even the most oppressive regime will not hold what a 4yo toddler says against him. The need for privacy should rather be less for a kid than for an adult.
What it means is that violations of privacy are creepy, period. We try to rationalise it by arguing that we get something out of it, but when dealing with our kids, we stop believing our own bullshit and it is just becomes purely creepy...
Additionally, what benefit do we have to gain by preserving these recordings? The whole thing seems massively risky for no reason other than to make a few bucks.
People kept devices which allowed strangers to talk to their children sitting in their house, often in the children's bedroom for nearly a century and it wasn't a major problem. The vast majority of child abuse (like 95+%) is committed by parents or close family members. The danger of strangers is overblown and you shouldn't have to harp on that to get people concerned about companies unnecessarily snarfing up every bit of data about everyone of every age.
Yeah, I'm not worried about my kid saying things that will get him in trouble. However... he repeats literally everything that he hears, sometimes verbatim. Sometimes hours or days layer. To be honest, it's really creepy at times. Plus, he doesn't really have a filter, so he'll talk about everything he sees at school or on the playground, just chattering about all day to himself.
So I'm worried about my kid saying things that could get other people into trouble.
A common anecdote from East Germany is that teachers would ask children what the "sandman" looks like (an evening TV show for children). The seemingly harmless answer then revealed whether their parents secretly watched imperialist West-German television. So yeah, children are pretty good at implicating other people.
I think it's possibly a bit more that we rationalize it as an adult because we can make a choice to give up the privacy or not. For a child they haven't developed mentally yet to understand that choice. That said I agree that the child has less potential for revealing information.
Even calling it a choice is rationalizing the loss of privacy. Most services are a binary choice of giving up privacy or not using the service. Some services can be done without, but many are required to operate in a modern society.
When will these companies be held liable for beaches like this? The time for feigned ignorance is over, this is negligence at the best, outright greedy indifference at the worst. There are no more excuses.
>the average parent.. is technically literate enough to know the wifi password but not savvy enough to understand how the "magic" of daddy talking to the kids through the bear (and vice versa) actually works [or] that every one of those recordings... is stored as an audio file on the web.
If it is not considered amazingly stupid, or at least ignorant to not understand that the magic talking bear has a computer in it, and that if the computer wants the wifi password it probably uses the internet, and that if the entire purpose of the device is to make recordings available to you over the internet... then I despair. My sympathy for people who buy these sorts of products is wearing thin. But, in this particular instance...
>our tolerances are very different when kids are involved
Interesting. Why? The data is much less valuable:
>One little girl who sounded about the same age as my own 4-year old daughter left a message to her parents: "Hello mommy and daddy, I love you so much." Another one has her singing a short song, others have precisely the sorts of messages you'd expect a young child to share with her parents.
If it is not considered amazingly stupid, or at least ignorant to not understand that the magic talking bear has a computer in it, and that if the computer wants the wifi password it probably uses the internet, and that if the entire purpose of the device is to make recordings available to you over the internet... then I despair.
I think you vastly overestimate the degree to which non-technical consumers understand computers, wifi, the internet, email, web sites, apps on their phone, and the differences and boundaries between any of those.
Because while we can make an informed decision about putting our own data into such a service, weighing up the risks and benefits, a four year old cannot - a parent is making that decision for them, and when you are making such a decision on behalf of someone else it behooves you to act more conservatively than when deciding on your own behalf.
True, but potentially very dangerous material in other ways. It's not hard to image kidnappers piecing together stolen audio clips to create fake messages as part of a ransom attempt. Or scammers creating audio clips to scare parents and extract money. A large bank of audio clips from a child could be used against that child's family in all sorts of ways, especially if the parents don't know the clips were stolen to begin with.
I don't understand. If I got a call in my daughter's voice saying "Help! I'm being held for ransom! Send all the bitcoins!" And then I call her phone and she answers or she walks in the door having gotten home from school, how is anyone going to collect on that?
If we assume that you can actually scare the parents into paying a ransom, in the end the impact is... a lot of stress + financial loss. And this assumes that the parents can't get in contact with the kid, the police can't get in contact with the kid and the scammers have enough savvy to accept untraceable money. All of which points to this being more of a movie plot than something that will happen in reality.
And even if this were a credible threat, logically we should be more concerned about direct financial theft since it has the same impact, but is far less elaborate (but still far less common than other types of cybercrime).
Or worse, they could train a neural network to mimic the child's voice and create a fake message to send to the police alleging child abuse, with a ransom note at the end - in the child's voice.
Moving into the future only makes an audio bank more dangerous with technologies like Adobe VoCo which only require a modest amount of recordings to synthesize in the child's voice (~20m IIRC)
How about the kids who don't leave cutesy messages and saw disturbing or threatening things? How about the parent who sits on the thing and says something?
Voice data was once safe in its obscurity... now I have a $2 app on my phone that can do decent voice transcription.
Audio messages can be used to train a system which then will be able to mimic the voice of the child, almost indistinguishable from the original. AI of this kind will be commodity (i.e. easily accessible by criminals) pretty soon if not today.
Sure - they _could_, but I've got lightbulbs and power switches that "helpfully" connect to some un branded Chinese "cloud" service - without any normal-user way to even know about it never mind turn it off.
I suspect some of it is so I've got the amazingly useful (nb: may not be useful at all) feature of being able to turn my lounge room lights on and off from my phone while not at home.
Cynical me suspects it's also probably a pretty good way to ensure forced just-put-of-warranty failures...
Pessimist-me assumes the Russians, the Chinese, Mossad, and some kid at the local hackerspace have all pwned the Chines cloud infrastructure and are using backdoor root shells on light globes subversive tshirt purchase history, and they're all cutting each other's throat price discounting as they sell it all as "business intelligence" to my car insurance company and the CBP...
Wouldn't you say that as a parent it is your obligation to protect the child's privacy? The threat model doesn't even matter, there will be one eventually. All data can be used and combined (now or in the future). Is it that hard to imagine a future where recordings of a child can be used to recreate the voice of the same person as an adult...hardly.
I find a "where's the harm" attitude towards privacy/data collection very troubling...doubly so if you are making that decision for someone else who can't protect themselves yet. Ethically it's probably a bigger problem than having such a lax attitude about your own privacy (which if perfectly fine/freedom of choice).
And yes I also rant and rave about parents who post pictures of their children everywhere.
Someone steals the recording saying "Hello mommy and daddy, I love you so much."
They then manage to contact you, reporting that they have kidnapped your children. They play you the recording to prove they are in your custody and demand an immediate ransom payout.
Highly prone to error, not very likely to work, incredibly evil and likely to end up with the perpetrator in jail, but, unfortunately, the sort of thing that a desperate criminal might try, and even more unfortunately, it only needs to succeed once for someone to consider it a viable tactic.
I know this is stupidly unlikely occurrence, but extrapolate it with a bit more sophistication and you can start to see why this is actually quite nasty identity theft material.
Apart from the total disaster these kind of incidents are, they serve a valuable purpose: material to educate my children about security. It is surprising to see how quickly my 9-year old daughter picks up the message, especially by these kind of stories.
My 7 year old son is rapidly becoming far more hostile to anything from ads to privacy invasions because it is simply making up a far bigger part of his life than it does for me.
I wonder how children learning about these things from such a young age will play out once they're gron up.
Readit News
Not only was a huge amount of information exposed through a public, unauthenticated MongoDB instance, and not only did CloudPets ignore multiple security researchers' attempts to alert them to the problem, but the database was actually held for ransom multiple times without customers being alerted to the breach.
Seeing it light up and say "destroy all humans" was pretty funny, moreso because there is pretty much zero authentication on them so you could do it from anywhere from your mobile, and the mic can turn on and record without any authentication at all.
sigh internet of things
We're screwed coming and going, and the vast majority still look at you like a woodland hermit if you suggest that you shouldn't have anything listening to you in your home.
I realize that training data is important and I assume the recorded data gets used for that purpose but does Amazon need to keep it forever? How long do they need it? Can I own and posses the hardware and pass off the learning alone?
Edit: Demo of the CloudPets functionality using Web Bluetooth https://github.com/pdjstone/cloudpets-web-bluetooth/
I understand that this leak is related to mongodb... and that is terrible, but mostly referring to your bluetooth example.
I mean take bluetooth headphones they are notoriously insecure, but the range in which eavesdropping could take place is pretty small, and for most of us you would just be eavesdropping on our annoying music. Seems reasonable that they save bandwidth on secure transmission of data for higher audio quality. That said I could see an argument the other way, but I'm sure there are more examples where it doesn't seem like a big deal. It would be interesting to hear from someone who thinks I'm dead wrong.
Encrypting a compressed audio stream does not add to the bandwidth, aside from the initial key negotiation.
Furthermore, the bandwidth required for audio of a quality that's indiscernible from the original is negligible when compared to the bandwidth of Bluetooth radios. Ridiculously good audio is 320 kbps, and Bluetooth is easily good for 25 Mbps.
I suppose you could argue that the battery power used to perform this computation is the limiting factor, but a good embedded DSP used to perform the recording and transmission typically have tiny power requirements and hardware encryption routines that don't significantly change the power requirements of the device, as compared to keeping a blue LED blinking or powering an earbud speaker.
No, let's be honest here. The actual limiting factor is engineering time and money that goes into developing these devices as quick and cheaply as possible.
It's a bit paradoxical. There are way less things a kid can say that can get him in trouble than an adult. Even the most oppressive regime will not hold what a 4yo toddler says against him. The need for privacy should rather be less for a kid than for an adult.
What it means is that violations of privacy are creepy, period. We try to rationalise it by arguing that we get something out of it, but when dealing with our kids, we stop believing our own bullshit and it is just becomes purely creepy...
Also, It's not just recordings. Once an adversary has account access, they can talk to children. I can't imagine that being a good thing.
So I'm worried about my kid saying things that could get other people into trouble.
(No real source, but a random German article that quotes this anecdote: http://www.badische-zeitung.de/panorama/der-freundliche-herr...)
>the average parent.. is technically literate enough to know the wifi password but not savvy enough to understand how the "magic" of daddy talking to the kids through the bear (and vice versa) actually works [or] that every one of those recordings... is stored as an audio file on the web.
If it is not considered amazingly stupid, or at least ignorant to not understand that the magic talking bear has a computer in it, and that if the computer wants the wifi password it probably uses the internet, and that if the entire purpose of the device is to make recordings available to you over the internet... then I despair. My sympathy for people who buy these sorts of products is wearing thin. But, in this particular instance...
>our tolerances are very different when kids are involved
Interesting. Why? The data is much less valuable:
>One little girl who sounded about the same age as my own 4-year old daughter left a message to her parents: "Hello mommy and daddy, I love you so much." Another one has her singing a short song, others have precisely the sorts of messages you'd expect a young child to share with her parents.
Hardly identity thief material.
I think you vastly overestimate the degree to which non-technical consumers understand computers, wifi, the internet, email, web sites, apps on their phone, and the differences and boundaries between any of those.
Because while we can make an informed decision about putting our own data into such a service, weighing up the risks and benefits, a four year old cannot - a parent is making that decision for them, and when you are making such a decision on behalf of someone else it behooves you to act more conservatively than when deciding on your own behalf.
It's the why-do-I-care-about-my-privacy argument - but it's even more personal now, because it's not just you, it's your kids.
There's always that extra creep factor when it comes to children.
True, but potentially very dangerous material in other ways. It's not hard to image kidnappers piecing together stolen audio clips to create fake messages as part of a ransom attempt. Or scammers creating audio clips to scare parents and extract money. A large bank of audio clips from a child could be used against that child's family in all sorts of ways, especially if the parents don't know the clips were stolen to begin with.
And even if this were a credible threat, logically we should be more concerned about direct financial theft since it has the same impact, but is far less elaborate (but still far less common than other types of cybercrime).
Voice data was once safe in its obscurity... now I have a $2 app on my phone that can do decent voice transcription.
It's just one more thing to worry about.
Audio messages can be used to train a system which then will be able to mimic the voice of the child, almost indistinguishable from the original. AI of this kind will be commodity (i.e. easily accessible by criminals) pretty soon if not today.
I suspect some of it is so I've got the amazingly useful (nb: may not be useful at all) feature of being able to turn my lounge room lights on and off from my phone while not at home.
Cynical me suspects it's also probably a pretty good way to ensure forced just-put-of-warranty failures...
Pessimist-me assumes the Russians, the Chinese, Mossad, and some kid at the local hackerspace have all pwned the Chines cloud infrastructure and are using backdoor root shells on light globes subversive tshirt purchase history, and they're all cutting each other's throat price discounting as they sell it all as "business intelligence" to my car insurance company and the CBP...
And yes I also rant and rave about parents who post pictures of their children everywhere.
Someone steals the recording saying "Hello mommy and daddy, I love you so much."
They then manage to contact you, reporting that they have kidnapped your children. They play you the recording to prove they are in your custody and demand an immediate ransom payout.
Highly prone to error, not very likely to work, incredibly evil and likely to end up with the perpetrator in jail, but, unfortunately, the sort of thing that a desperate criminal might try, and even more unfortunately, it only needs to succeed once for someone to consider it a viable tactic.
I know this is stupidly unlikely occurrence, but extrapolate it with a bit more sophistication and you can start to see why this is actually quite nasty identity theft material.
Internet-of-Shit will remain exactly that until neglecting security is a substantial threat to the bottom line of a company.
They ignored multiple warnings? Got hacked multiple times? This is negligence, and this company should be fined out of business.
If you want one, they're now available for the low, low price of only $3.[2] Including WiFi.
[1] https://cloudpets.com/ [2] https://www.hollar.com/products/as-seen-on-tv-cloudpet-dog
I wonder how children learning about these things from such a young age will play out once they're gron up.