IoT Connected Toys Data Breach

Following the news that Spiral Toys, parent company of the popular CloudPets line of internet-connected toys, was hacked, exposing personal messages and information, Cybersecurity experts from FireMon, Imperva, InfoArmor and Lieberman Software commented below.

Paul Calatayud, Chief Technology Officer at FireMon:

“I like to call IoT the IoMT as in the Internet of Malicious Things, and news of the teddy bear leak hits on two main issues. One, the growing use of open source databases, and two, putting devices on the internet.

MongoDB is becoming a common technology for use in e-commerce due to its flexibility and price (free). Like most things that are free there are hidden costs in the form of no security confirmations or common security models. This results in what I call security regression, where best practices quickly become forgotten in the rush to slap an application on the internet. Combine this with devices that are exposed to the internet and you have a combination for a hackers paradise.

Consumers need to be aware that it takes a lot of energy and investments to properly secure their information. If you have a sense the company may not be up to the task, you may want to think twice about what information you are sharing with them.”

Ben Herzberg, Security Research Group Manager at Imperva: 

 “Let’s start with the good: using a slow-to-crack algorithm (bCrypt) was a good choice, and probably prevented additional damage.

With the great increase of IoT devices, from teddy bears like the ones connecting with CloudPets to medical devices monitoring patients to connected refrigirators, our race for innovation brings a lot of cool stuff to life in a very short time, and this will continue in the next years, as there is a potential to revolutionize the way we’re living.

However, we’ve seen a lot of security glitches from these IoT companies, and they need to understand that information security is not just a ‘good-to-have.’ We’ve seen hundreds of thousands of such devices used in Denial of Service (DoS) attacks, taking down huge organizations. We’re seeing those devices being used in other malicious activities like probing websites for vulnerabilities and attempting to take over accounts.

In conclusion – every company that’s selling devices that connect to the internet must know that in that moment they become a target, and will probably not have a lot of grace time before they start getting attacked.”

Byron Rashed, Vice President of Global Marketing, Advanced Threat Intelligence at InfoArmor:

“Why so many password (credentials) breaches? The answer is simple – convenience. With all forms of security, convenience suffers. Whether it be using various forms of two-factor authentication or multi-factor authentication, users need to manage and remember passwords. Best practice would dictate a different and unique password for each application. Just think how many applications the average person uses in one day – email, social media sites, banking, shopping, etc. Not only is it daunting, but it’s inconvenient; however, it has become a necessity in today’s digital age.

Companies are faced with the dilemma between ease of use and the overall customer experience versus security of accounts. Investing in technologies such as encryption and multi-factor authentication add to the cost of doing business while degrading the customer experience. Many companies do not fully assess the risk of convenience versus security.

SHA-1 and MD5 hashes can easily be cracked by automated tools on black market sites on the Dark Web were cyber criminals can get clear text passwords. Professional cyber gangs are very organized and members have areas of specialty from network infiltration to data exfiltration to monetization. Many of these organizations bring in millions of dollars in income, and some are shielded with non-extradition to the victim country.

Like every new and emerging (mainly consumer-based) technology, security is a afterthought or not planned out correctly. The IoT will bring many challenges to both companies and consumers as vulnerabilities become apparent in successful IoT attacks.”

Philip Lieberman, President & CEO at Lieberman Software:

“The legal description for this breach is gross negligence with little to no thought given to the security of the data or application.

Then again, for most IoT sales the vendor is not monetizing the data, only the device itself (a single point in time purchase for minimal margin).  The business model for IoT provides little to no incentive for security and off-shore vendors have a shield of no legal recourse for US consumers.

With any single point in time purchase of a connected device, my advice is to assume it is already compromised, every credential you enter is compromised, and there will be no improvement.  With that assumption, expectations of complete disclosure should be expected for the time being. I still have my old fashioned thermostat ready to go in case the Internet connected one loses its mind and my control.”