Researchers at Context Information Security have found vulnerabilities in a Bluetooth CloudPets Unicorn toy that allowed them to take control of the toy's voice recording functionality.
The CloudPets range of cuddly toys uses Bluetooth Low Energy (LE) to communicate with a smartphone app, allowing parents to record audio messages on their phone and send them to their child's toy, or vice versa.
Context researchers were able to connect to the CloudPets Unicorn via Bluetooth LE, upload a recording that they had made and make the toy play back the recording. They were also able to trigger the toy's recording functionality to retrieve and play back audio it had recorded, effectively turning the toy into a remote surveillance device. Bluetooth LE has a range of about 10 to 30 metres, so anyone standing outside a house could easily connect to a toy inside.
“While the purpose of this project was to have some fun hacking a Bluetooth Unicorn to explore how Bluetooth LE is used in real world projects, the security implications are also important to note,” said Paul Stone, principal researcher at Context. “The toy does not use any built-in Bluetooth security features such as pairing that would have enabled some authentication between device and phone. In our experience, many Bluetooth LE devices intended for use with smartphones don't bother with pairing in order to simplify user experience. In the meantime, if you own one of these toys, or any other IoT or connected toy, we would recommend keeping it turned off when it is not in use.”
This latest disclosure by Context follows the revelation this week by another researcher that Spiral Toys, the maker of CloudPets, exposed more than two million voice recordings of children and parents, as well as email addresses and passwords for more than 800,000 accounts. The recordings and data were stored in a publicly accessible database that wasn't protected by a password or placed behind a firewall.
Context policy is to follow responsible disclosure and the company has attempted to contact SpiralToys since last October.After five months and the recent public release of other security issues around CloudPets products, the decision was made to disclose the findings.