Amazon and eBay are among retailers pulling a brand of cuddly smart toys from sale after warnings they pose a cyber-security threat. Concerns were raised about CloudPets products in February 2017 after it was discovered that millions of owners’ voice recordings were being stored online unprotected.
The CloudPets range includes a number of soft animal toys that are fitted with a microphone and speaker. These allow children to record their own messages and play back the voice recordings of friends and family members, which are uploaded to the net via a Bluetooth-connected app. Owners controlled audio recordings by pressing the toys’ paws.
A London-based company, Context Information Security, revealed it had found another flaw with the toys that meant hackers could trigger their own recordings in order to spy on owners.
“Anyone can connect to the toy, as long as it is switched on and not currently connected to anything else,” Context reported
“Bluetooth LE typically has a range of about 10m to 30m [33ft to 98ft], so someone standing outside your house could easily connect to the toy, upload audio recordings, and receive audio from the microphone.”
Cure53 said, that hackers could obtain the web address and use it to mount further attacks on families.
Mozilla shared the findings with digital rights group the Electronic Frontier Foundation, which wrote a letter to US retailers selling the items.
Walmart and Target are among other US companies reported to be halting sales. UK stores Tesco and The Entertainer also used to stock CloudPets toys, but both appear to have stopped doing so after the earlier reports. The BBC has also contacted Google and Apple, who continue to offer CloudPets’ apps on their stores.