A few days ago CloudPets stuffed animals found themselves in a lot of trouble after hackers stole their customer data. Now researches found more issues.
The infosec company Context Information Security announced it was looking at the Web Bluetooth feature of CloudPets. The company has researched this well before the recent announcement CloudPets were hacked.
The researchers found even more worrying problems with CloudPets’ technology. It turned out websites can connect to the plushies and activate their recording feature remotely, The Register reported.
“When first setting up the toy using the official CloudPets app, you have to press the paw button to ‘confirm’ the setup. I initially thought this might be some sort of security mechanism, but it turns out this isn’t required at all by the toy itself,” report author Paul Stone writes.
“Anyone can connect to the toy, as long as it is switched on and not currently connected to anything else. Bluetooth LE typically has a range of about 10 – 30 meters, so someone standing outside your house could easily connect to the toy, upload audio recordings, and receive audio from the microphone.”
Of course, these scenarios are unlikely for the regular folk, but it’s still not a nice feeling. Context Information Security is not impressed with some other technical features handling the security of the toys. Sadly, the company says they have been trying to connect with the CloudPets since October last year. They didn’t reply, just as with the other issue.