Amazon will stop selling connected toy filled with security issues

Cybersecurity isn’t child’s play.

Alfred Ng
Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
3 min read
Account information on 800,000 CloudPets users was left unprotected on the internet, as well as 2.2 million voice recordings sent between children and their loved ones, according to reports Monday.

Amazon, Target and Walmart are no longer selling CloudPets toys.

Spiral Toys/Screenshot by CNET

That soft teddy bear seems harmless -- until hackers can use it to spy on your kids.

Amazon said it has pulled CloudPets, a smart toy that researchers said was riddled with security flaws, from its online store. Last week, Walmart and Target stopped selling the toy. Amazon began removing CloudPets on Tuesday morning. 

The decision comes a day after Mozilla contacted Amazon with research showing new vulnerabilities on CloudPets.

"In a world where data leaks are becoming more routine and products like CloudPets still sit on store shelves, I'm increasingly worried about my kids' privacy and security," Ashley Boyd, Mozilla's vice president of advocacy, said in a statement.

Walmart and Target did not respond to a request for comment.

This isn't the first time that Amazon has stopped selling products over privacy concerns. Last July, the online retailer giant suspended Blu phones -- its top selling phone at the time -- because researchers found spyware on the popular devices.

Connected devices tend to be open to attacks for a multitude of reasons, whether it's default passwords, developers who never send security updates or owners who never install them. The US Consumer Product Safety Commission opened an investigation into the dangers of connected gadgets, also known as the Internet of Things, in March, while lawmakers introduced a bill to regulate smart devices.

That's a particular problem when it comes to selling connected toys to children, since it opens up a new field of privacy concerns for parents. After advocates pointed out that the toy "My Friend Cayla" violated privacy rules by recording conversations without parental consent, Germany banned the doll and asked any parents who still owned it to destroy it.

CloudPets, made by Spiral Toys, is a talking toy that's connected online, uses voice recordings and an online app through Bluetooth.

But in 2017, hackers were able to access CloudPets' database, containing email addresses, passwords and voice recordings from children, which cybercriminals held for ransom at least twice. The breach affected more than 800,000 people.

Mozilla worked with cybersecurity research firm Cure53 to see what vulnerabilities CloudPets still has after the original breach in 2017. They found that CloudPets' Bluetooth vulnerabilities first demonstrated more than a year ago are still open.

The firm conducted its tests for vulnerabilities in March, and found that CloudPets did not meet security standards. Spiral Toys did not respond to a request for comment.

"The company clearly does not care about their users' security and privacy being violated and makes no effort to respond to well-meaning attack reports, further facilitating and inviting malicious actions against their users," the researchers wrote in their report.

The researchers also discovered that CloudPets' mobile app refers users to a website called "mycloudpets.com/tour," a domain that is currently for sale and can be redirected by potential criminals in online scams.

CloudPets also had a third vulnerability, researchers said, that allowed potential hackers to install custom firmware to the toy without any security checks to stop them. Installing custom firmware would let a potential hacker take control of the toy, along with any data that passed through it.

Researchers found that CloudPets' apps were last updated in May 2017 for iOS and January 2018 for Android.

CloudPets' security issues calls into question what smart toys stores decide to stock their shelves with, as vulnerabilities continue to surface.

"We also urge you to consider putting in place new or improved systems to ensure that products you stock, especially those that collect the information of children, have basic practices in place to respect the trust that consumers place in them," Mozilla said.