CloudPets IoT Toys Leaked and Ransomed, Exposing Kids' Voice Messages (androidpolice.com) 64
"According to security researcher Troy Hunt, a series of web-connected, app-enabled toys called CloudPets have been hacked," reports Android Police. "The manufacturer's central database was reportedly compromised over several months after stunningly poor security, despite the attempts of many researchers and journalists to inform the manufacturer of the potential danger. Several ransom notes were left, demanding Bitcoin payments for the implied deletion of stolen data." From the report: CloudPets allow parents to record a message for their children on their phones, which then arrives on the Bluetooth connected stuffed toy and is played back. Kids can squeeze the stuffed animal's paw to record a message of their own, which is sent back to the phone app. The Android app has been downloaded over 100,000 times, though user reviews are poor, citing a difficult interface, frequent bugs, and annoying advertising. Hunt and the researchers he collaborated with found that the central database for CloudPets' voice messages and user info was stored on a public-facing MongoDB server, with only basic hashes protecting user addresses and passwords. The same database apparently connected to the stored voice messages that could be retrieved by the apps and toys. Easy access and poor password requirements may have resulted in unauthorized access to a large number of accounts. The database was finally removed from the publicly accessible server in January, but not before demands for ransom were left.
Strict liability for writing code? It's coming (Score:4, Interesting)
Build a bridge, and if it collapses due to poor design the engineers involved go to jail.
Build a crappy piece of software? No liability. That's going to end eventually.
You want to call yourself an "engineer"? Play by real engineering rules.
You're just a script kiddie with your Ruby? Tough.
Because eventually, if you implement something poorly like this, you will be liable.
If that scares you and makes you nervous, GOOD!!!!, because that means you're the type of clown-writing-code that needs to be held to higher standards.
Re:Strict liability for writing code? It's coming (Score:5, Informative)
While I agree with you, I think it's unfair to always put the blame on the programmer. In many companies that I worked for I remember seeing things that looked like this, I talked with my managers about fixing it, and they said "it is lower priority".
Re: Strict liability for writing code? It's coming (Score:5, Informative)
Turns out it doesn't.
I worked for a company with shit security practices. I put my foot down. Was almost fired for it. Had I not had and proven major exploits that would have put them out of business they would have fired me.
Yes, someone wrote that shit. Someone horribly unqualified to do the job they were hired to do. And then every person that came behind them wasn't given the time to fix it and shit got bolted on shit.
Also, this company literally handles children's personal info.
As soon as shit was fixed to my satisfaction, I was let go.
I couldn't be held responsible for having touched some of it before, or even after fixing it. Liability doesn't work that way (at least in Canada) it's 100% on the business.
To be clear. Management is to blame. Management is liable. For having allowed shit work to happen, and for allowing shit work to stay around.
Software developers have no right to say 'no' as engineers do. And I agree. It should be a regulated profession. Its not. Sometimes food for their families is more important than the moral high ground.
Re: (Score:1, Funny)
Heh, long ago I worked for a company that, as a part of its proprietary product, ran open mail relays. That's right! Open relays. It was "necessary" to make the software work correctly. The morons who built the custom solution knew nothing and I was a junior sysadmin back then so I didn't know to correct them. Needless to say we pumped out 100,000 spam emails a day compared to about 4,000 legitimate messages.
One day a new manager put his foot down and turned off the open relay. He was nearly fired.
Re: (Score:1)
Here at a company everyone think of as very open, and after several incidents, we eventually got to do paid pentesting (because we're not allowed to do it ourselves). They got in through the methods we had highlighted as problematic. We are forbidden to talk about it, and it's not getting fixed.
See, the goal of management is to reject blame have zero accountability, and just appear to do stuff. They have no interest in security. Heck, they are no interest in the product. The only interest is to look food to
Re: (Score:1)
No it doesn't. If a bridge collapses the engineer who SIGNED OFF ON IT might be liable. Not all the engineers who worked on it.
Re: (Score:1)
Re:Strict liability for writing code? It's coming (Score:5, Insightful)
You should always make sure you get the manager response in writing. Just tell him to either send his response in an email and then archive this email or log his response to the bug report ticket and notify. Because when the shit hits the fan you will always be blamed, unless you can point to an actual written statement saying otherwise. If you just say "The manager told to me to ignore it", he will just reply "I don't remember saying that".
Everyone else is covering their asses so you should also otherwise it's your ass.
Re:Strict liability for writing code? It's coming (Score:4, Interesting)
Re: (Score:1)
What happens to the jr. developer whose first task was to write software that was only supposed to be used internally as a test, when a year later some manager decides to put that code on a public facing, external server?
Re: (Score:2)
The problem is the rigor that is applied to code writing doesn't exist the same way as it does in other engineering fields... something I agree needs to change. If the education standard were higher, then it would be no problem to hold people accountable when their bridges fail and their code leaks personal information.
Re: (Score:2)
The problem is the rigor that is applied to code writing doesn't exist the same way as it does in other engineering fields... something I agree needs to change.
It needs to change, at least, for software that can kill people. Toyota got dinged for unwarranted acceleration not because they made a mistake or even because it was proven that's what happened. They got in trouble because their code was such garbage that it would be shocking if it weren't causing problems. It did not meet any reasonable programming standards, including the ones typically used within the auto industry. Anyone who hires a programmer who drives a Toyota is hiring a dumbshit.
Re: (Score:2)
Toyota got unwanted acceleration because people stepped on the gas pedal, thinking it was the brake. Just like every other "unwanted acceleration" problem in automotive history. It is a design flaw if you let people shift out of park without their foot already on the brake, of course, but not a programmer error.
Companies need to be legally punished for this (Score:2)
As the right says about it's enemies, "they only understand force".
Re: (Score:2)
Note that I said "as the right says", not "as the right does". I think people missed the irony.
You want "cloud" (Score:5, Insightful)
Re: (Score:2)
You get this - you get cloud. Deal with it.
Cloud can be done 'right' with some forethought and skill, though. Unfortunately, that costs money.
Money and good sense. It can be done pretty well. But the problem is that given the nature of people, especially people who would buy their children toys like this - they simply won't. If regular folk by this time still refuse to use good passwords and practice good security - they never will.
Re: (Score:2)
It seems like there should be some kind of criminal negligence when security is this bad and people's personal data is being handled. In the UK they would likely be fined by the Data Protection Commissioner.
Re: (Score:3)
I recently encountered a site which had a maximum password length of 20 characters.
My password now contains a message to whoever thought this was a good idea.
I'm pretty sure somebody will read that message soon enough.
Re: (Score:2)
I recently encountered a site which had a maximum password length of 20 characters. My password now contains a message to whoever thought this was a good idea. I'm pretty sure somebody will read that message soon enough.
I suppose for the the kids, the password will be 1Mommy, or some other hard to guess - oh wait - what password?
Re: (Score:2)
I recently encountered a site which had a maximum password length of 20 characters.
My password now contains a message to whoever thought this was a good idea.
I'm pretty sure somebody will read that message soon enough.
I know a bank that does this : http://northwest-bank.com/ [northwest-bank.com]
Bizarre.
Re: (Score:2)
It seems like there should be some kind of criminal negligence when security is this bad and people's personal data is being handled. In the UK they would likely be fined by the Data Protection Commissioner.
I don't disagree. But if people by now do not recognize that the Internet of things in the cloud is inherently unsafe, and that manufacturers don't recognize that the same people who buy an IoT toy or a device that allows them to open and close their living room curtains with their smartphone aren't going to apply good security measures, well, the whole thing falls under the category that simply because we can do something doesn't mean we should do something.
Re: (Score:2)
There will have to be improved consumer protection laws, it's the only way things like this ever get fixed. It's hoverboards all over again - people will buy any junk without bothering to check if it is safe or not, and then hand it to their kids.
Re: (Score:2)
There will have to be improved consumer protection laws, it's the only way things like this ever get fixed. It's hoverboards all over again - people will buy any junk without bothering to check if it is safe or not, and then hand it to their kids.
I'm wondering what parents will buy a IoT toy that requires their child to enter - say a 10 character password with at least one capitalization, one number and one special character. But yeah, this stuff shouldn't exist at all if you ask me. Ugh. "Talk dirty to me little Ashley"......
Re: (Score:1)
So is Nazism and, by extension, Donald Trump. Add in good beer and good food, not to mention the world's most superior scat porn, and I'm ready to emigrate.
I am inspired... (Score:2)
I am inspired!
IoT vibrators. You can record a message for your loved one, and it plays back to them next time they use their vibrator.
I AM A GENIUS!!!!!
Re: (Score:3)
Oooohh.... and it can send a message back to your phone, so you know when your SO is using it and hearing your message. That should make the weekly staff meeting more interesting when my phone buzzes so I take a peak and see it's the Mrs having fun at home while I'm learning what Stanley O'Noodle worked on for the last 7 days.
Throwback (Score:3)
Re: (Score:2)
But it didn't go to the clouds. It stayed local!
Doubt the company cares (Score:3)
Re: (Score:2)
So they'll let shit-storm come, file bankruptcy and then sell the technology/patents/trademarks in the liquidation sale to a new company that will repeat the mess.
Poor interface? (Score:1)
Re: (Score:3)
Kids these days. Wimps. Now, in *my* day, we had to catch a grizzly bear and press IT'S paw. While it was mauling us.
Now get off my lawn.
Help - Looking for solutions (Score:2)
So if you are not one of those four companies security will not gain you a single sale. Lack of it might burn you later but even that is unlikely.
We know shit security is a problem. I want to
How does that happen? (Score:2)