Is your Child’s Teddy Bear Compromising your Online Security?

In today’s digital age, most of us who have children are fully aware of the risks and threats posed to them online. Many go above and beyond what is deemed necessary to protect their mobile devices, and our own, from scams and hackers, while the supposedly harmless talking teddy or connected Barbie quietly store their innocent chatter in the cloud!

It’s Time to be Toy Wise and Tech Savvy

If your child is getting excited about the latest CloudPets toy, maybe it’s time to direct their attention elsewhere. In South Africa and the rest of the world, the CloudPets talking teddy bear is advertised as “a message you can hug”. The concept and design is quite unique and probably why it is winning the hearts of so many kids and parents across the globe.

Here’s how it works.

Parents buy their child a CloudPets toy and download the linked app for them
Any CloudPets friend on the network can then record and send a message which is delivered wirelessly to the Cloud Pet.
When the CloudPets has a message, it’s little heart flickers
The child squeezes the pet’s paw to play the message
Another squeeze of the pet’s paw then records a message, which is delivered to the nearest linked device and on to a CloudPets friend – wherever he or she might be in the world.
Child’s play!

Sounds fun, doesn’t it? What’s not fun is that this particular toy leaked over 2.2 million conversations between parents and kids to the internet! The company made use of a MongoDB database which was poorly secured and the CloudPets platform had no requirements in terms of a password. In fact, parents registering for the service could use a single letter as their password, which makes it all too easy for hackers to do their work.

The problem lies in the fact that most parents aren’t aware of the dangers until it’s too late, but there’s a lesson for both parents and businesses in this. The lesson for parents is obvious – make sure you don’t fall prey to cuddly promises without doing your research to check that any recordings are secure and try and limit the amount of data stored.

For businesses, the lesson is more complex

Here are a few tips that a business can learn from this incident:

Your database must be secured and managed by security-minded administrators.
Make sure that reported incidents of data breach or similar are responded to immediately. Time wasted is time that you will regret.
In the unfortunate event of a data breach, absolutely every person and party involved must be notified as soon as possible.
Always advise your online users to choose complex passwords and send reminders for them to be changed on a regular basis.
Educate your customers on how the IoT works (if you sell IoT products) and ensure that they understand the risks implicated. This might help individuals be more careful about the type of information that they send via such devices.
The trick is not to avoid buying these types of modern toys, but to buy the right ones with the right manufactures behind them. CloudPets is a great idea / concept with very poor follow-through in terms of security. If your child has a toy that connects to the net or a network, perhaps it’s time to check out just how secure they really are.