Two million recordings of families imperiled by cloud-connected toys' crappy MongoDB

Found on The Register on Tuesday, 28 February 2017

CloudPets' internet-facing MongoDB installation, on port 2701 at 45.79.147.159, required no authentication to access, and was repeatedly extorted by miscreants, evidence shows. The database contains links to .WAV files of voice messages hosted in the Amazon cloud, again accessible with no authentication, potentially allowing the mass slurping of more than two million highly personal conversations between families and their little ones.

As proof that CloudPets' security was hopeless, Hunt's informant provided him more than 580,000 records from the CloudPets database, along with screenshots of three attempts to alert the toy manufacturer to the gaping hole. Each warning, we're told, fell on deaf ears.

Hunt concluded: “The CloudPets data was accessed many times by unauthorised parties before being deleted and then on multiple occasions, held for ransom.”

That's not just an unfortunate accident anymore; the company had several chances and still decided with intent to ignore all safety. With such a disregard to data security, CloudPets should be held liable and brought to court. This also shows one of the major problems with the production process: they hired obviously incompetent developers who failed to read the installation instructions of MongoDB, like so many others (and yes, MongoDB should be completely locked down after installation, requiring the admin to configure it). They also failed to efficiently handle and store data. WAV? Seriously?

Browse all articles« Previous « » Next »