Internet of Stranger Things: Toys That Hack Your Kids

Stranger Things is one of the most popular shows on Netflix. But one of the most strange things is the Cloud Pet, a voice-recording toy that has put the personal information of thousands of children at risk. Learn more here!

“Friends Don’t Lie.” If you know who said that, you’ve been a part of one of the most anticipated TV shows of the season, Netflix’s Stranger Things, now in it’s the second season. You’ve probably also seen a lot of cool new gadgets and IoT tech coming out recently, for all ages even. This child’s teddy bear has a darker side to it. An “Upside Down” side, if you will.

It’s called the Cloud Pet. It’s manufactured by Spiral Toys, a California-based company. Alongside a parent app, this cuddly bear can recite prerecorded messages using the Internet. A sad child could be comforted by the sound of their parent’s voice, or anticipate a surprise, or just hear a happy memory played over. Children can also record messages and send them to their parents, and conversations can be had through the internet-connected animal.

The strange problem is that the toy company’s cyber security is lacking, and thousands of accounts are vulnerable to hacking. Security researchers, specifically Troy Hunt, looked into the breach, and discovered the worst truth of any:

“CloudPets left their database exposed publicly to the web without so much as a password to protect it.”

Troy Hunt also made the statement that “By now it’s pretty obvious that multiple parties identified the exposed database, it remained open for a long period of time and it exposed some very personal data. It would be a safe bet to assume that many other parties located and then exfiltrated the same data because that’s what people do; scanning for this sort of thing is enormously prevalent and that data – including the kids’ and parents’ intimate audio clips – is now in the hands of an untold number of people.”

Further investigation led to the discovery of even stranger things, that passwords did not have any requirements, and since children could set them, most of the 820,000 accounts have passwords like “password” or “12345.” When tested, researchers cracked many accounts, some with passwords of just one letter or number.

“The services sitting on top of the exposed database are able to point to the precise location of the profile pictures and voice recordings of children.” Literally, anyone with a little knowledge of this hack and some malicious intent could, without much effort, steal the picture and voice recording of a child, along with personal information of the parent, including email address and name.

Apparently, Cloud Pets were not the best idea. If you or anyone you know made a purchase of these toys for any reason, inform them immediately. It isn’t right for anyone to treat the personal information of anyone so lightly, especially not that of children. While some might enjoy watching the plight of a young group of kids and their adventures in the Upside Down (I definitely do), no one’s personal information is safe with this strange stuffed animal.