Amazon stops sale of IoT connected toys
June 14, 2018
Amazon has stopped the sale of CloudPets, an IoT connected family of toys, after concerns raised about security and privacy by internet developer and community activist Mozilla.
Other retail outlets, including Walmart and Target, also removed the connected toys from sale.
CloudPets is made by toy maker Spiral Pets.
Mozilla, a foundation which develops the web browser Firefox, had uncovered vulnerabilities with the CloudPets family of toys. The foundation had commissioned cybersecurity research firm Cure53 to investigate Spiral Pets following concerns about the company's products. The research firm found that the toys can be turned into spying devices through a Bluetooth attack.
The firm also discovered that the toy maker's website for the CloudPets family had expired and was up for sale. As a result, the expired website was a potential phishing platform.
Cure53 reported that the toys had no firmware protection, allowing anyone with access to the toys to create custom firmware. The research firm also found that the CloudPets voice recordings are stored on Amazon in a public accessible filestore.
Cure53's report commented that Spiral Toys "clearly does not care about their users' security and privacy being violated and makes no effort to respond to well-meaning attack reports, further facilitating and inviting malicious attacks against their users."
Mozilla and Cure53's investigation follows concerns raised by security researcher Paul Stone last year. Stone reported that CloudPets toys could be hacked to capture audio. The toy maker was also holding customer records in an unsecured MongoDB database, which hackers had attacked, gaining access to 500,000 customer records.