Self-appointed privacy paladin Mozilla points out fatal flaws
The move follows similar actions taken by Walmart and Target last week. And other sellers of the toy are said to be considering similar action. Amazon did not immediately respond to a request for comment but CloudPets have vanished from its website.
A Mozilla spokesperson confirmed that browser-and-openness biz had shared CloudPets’ vulnerabilities with Amazon. It also shared its findings with the Electronic Frontier Foundation which, along with other advocacy groups, planned to publish a letter on June 5 urging retailers to ditch the toys.
The EFF mistakenly published the letter on its blog and then removed the post – still visible in Google’s cache – but not before social media took note. By the time June 5 rolled around, Walmart and Target had already taken action and Amazon had contacted Mozilla about its plans.
Spiral Toys, the maker of CloudPets, did not immediately respond to inquiries.
Who put Mozilla in charge?
Since the publication of its first internet health report last year, Mozilla has warmed to the role of privacy scold and community conscience. In its latest hectoring effort, the company on Tuesday declared, “Facebook must do better,” in response to the social ad giant’s continued data fumbling.
In a statement provided to The Register, Mozilla’s vice president of advocacy Ashley Boyd, explained why intervention was necessary. Security and privacy on the internet are fundamental, she said, but are increasingly violated.
“Companies like Equifax are breached, exposing millions of customers’ personal details, but face limited consequences,” said Boyd.
“More recently, the Facebook-Cambridge Analytica scandal revealed how little control and visibility we often have of our own data. I’m a mother of two young kids. And in a world where data leaks and breaches are becoming more routine and products like CloudPets can sit on store shelves, I’m increasingly worried about my kids’ privacy and security.”
Boyd, who last November advised those buying holiday gifts to avoid privacy-violating toys, said the issue goes beyond CloudPets to the relationship between consumers and companies.
“If consumers demand privacy and security be taken more seriously – and follow through with their pocketbooks – we can change the way companies treat us and our data,” said Boyd. “We can create a safer, more secure world for ourselves — and our kids.”
CloudPets and Spiral Toys have had issues in the past. Last year computer security researcher Paul Stone demonstrated how a CloudPet could be hacked to capture audio. That same year, the toy maker was found to be running an unsecured MongoDB database, from which hackers obtained at least 500,000 customer records.
Flaws unfixed after more than a year
Mozilla provided The Register with a copy of a security audit conducted, with its support, by cybersecurity research biz Cure53. The report notes that while the toy maker has fixed its MongoDB installation, CloudPets toys can still be turned into spying devices through the Bluetooth attack Stone disclosed last year.
It also found that a domain associated with the toy has expired and can be purchased, making it a potential phishing platform.
What’s more, the toy has no firmware protection, which could allow an attacker with device access to create custom firmware. And CloudPets voice recordings are stored in a publicly accessible Amazon S3 bucket.
The report concludes that Spiral Toys “clearly does not care about their users’ security and privacy being violated and makes no effort to respond to well-meaning attack reports, further facilitating and inviting malicious attacks against their users.”
Similar flaws have been identified in other connected toys, like Genesis Toys’ Cayla doll and Mattel’s Hello Barbie doll.
To date, toy makers appear to have done little to repair their reputations. Just last month, researchers from Princeton University reported finding a handful of undisclosed vulnerabilities in connected toys that violated both the Children’s Online Privacy Protection Rule (COPPA) and the toys’ stated privacy policies. ®