Hackers Seize Internet-connected Toys through Bluetooth
In a hacking attack targeting CloudPets an U.S toy company, over one-half million buyers of fluffy animals, which are played via connecting them to the Internet, had their personal information compromised. The data consisted of passwords and e-mail ids that got exposed, while illegitimate access to photo images of users' profiles too was enabled. Besides, adults' and children's voice recordings counting over two million were accessed as they played the stuffed toys.
The toys can be linked with an application via Bluetooth so kids' parents can download/upload audio missives.
The hack has made security researchers concerned as the hackers may've got hold of the voice recordings that buyers of the toys made. However, CloudPets the maker of Spiral Toys dismissed any hacking attempt on its customers.
As per a report, recorded messages, photographs along with other info such as passwords and e-mails suffered threats of attack. The information database along with the recordings has been saved inside the cloud instead of on the mobile-phone. According to Troy Hunt security researcher, over 820K user accounts along with 2.2m voice recordings got leaked. Hunt says the leaked data was put to ransom, while the same was saved rather insecurely which did not necessitate validation for access. Nj.com posted this, February 28, 2017.
During January, the hackers left certain ransom demand saying 'PLEASE READ' where the data was saved on the compromised computer. The ransom message told the victim that his database was copied to the hackers' servers and it could be recovered if the victim sent one Bitcoin to 1J5ADzFv1gx3fsUPUY1AWktuJ6DF9P6hiF followed with dispatching his IP address to email@example.com. By Bitcoin it means a digital currency worth some USD1,190.
Security researchers conclude that the implementation of Bluetooth Web API inside CloudPets' toys is insufficiently secured. The CloudPets hack impacted over 28,000 databases; however according to CloudPets, it had encrypted its data while assured customers that the attackers would not manage reading it.
But the data was saved from where it was publicly accessible and was short of even basic security safeguards, therefore repeatedly hacked during the recent weeks. Nevertheless, the company cleared its affected database off all information.
» SPAMfighter News - 06-03-2017