CloudPets Breach

Following the news of the CloudPets Data Breach, Tod Beardsley, Director of Research at Rapid7 commented below.

Tod Beardsley, Director of Research at Rapid7:

“The tragic tale of CloudPets indicates at least four distinct failures when it comes to securing IoT. I’d characterise this confluence of vulnerabilities as catastrophic. CloudPets rolled out a service that relied on an insecure, open-access database, stored voice data on an insecure, open-access Amazon S3 bucket, and secured access to an online account with a password that has effectively no complexity requirements (a single character would do).

While bad, these three technical design failures could have been addressed, but for the fourth issue discovered: CloudPets seems uniquely uninterested in handling reported vulnerabilities. Emails and voicemails from security researchers and reporters appear to have been ignored, as were demands from database ransomers.

Even when companies ship IoT vulnerabilities, we tend to give them the benefit of the doubt when first reporting these issues. When Rapid7 reports vulnerabilities, we do get some kind of response about 70% of the time, and are able to engage with technical staff responsible for fixing vulnerabilities. In nearly all of those cases, the companies do produce a fix, or at least offer mitigation advice to customers. It’s become increasingly rare to come across companies that don’t respond at all, so the case with CloudPets is unusual in that regard.”