CloudPets is a stuffed toy with a Bluetooth connection, enabling family and friends to send messages to be played back to a child using the toy’s built-in speaker.
However, a Which? investigation has highlighted a significant vulnerability that leaves this popular children’s toy open to being hacked.
To prove it, we were able to ‘hack’ the cat version of the CloudPets toy and use it to order cat food from Amazon via a voice-controlled Echo. You can see it in action in our video, below.
In our investigation into smart home hacking, our team of ethical security researchers from SureCloud found that they could either send their own audio (voices, or otherwise) to be played back to anyone within earshot of the toy. Or, they could remotely capture audio through the toy and listen to it through a phone or laptop.
While our test was harmless, in the hands of someone with more malicious intentions the same hack could enable a stranger to be able to speak to your children directly from outside your house. To give them instructions, perhaps? Or to ask them to come to the front gate to ‘meet up with daddy’.
Could your baby monitor be hacked?
In our lab, we test many smart products for how they might impact on your family’s privacy and security. Baby monitors are one example. In each of our latest baby monitors reviews we provide a privacy rating, which gives you an indication of how secure the baby monitor is, based on an assessment of: privacy settings, how complicated the security features are to set up, whether or not any data is encrypted, and the security of any cameras and videos or images.
Hackers and your home: how to protect your family
CloudPets isn’t the first ‘smart’ toy to be hit by privacy and security concerns. In February, the communications watchdog in Germany advised parents with the Cayla talking doll to destroy it over fears that it could leak personal data. This followed security researchers discovering that it has an unsecured Bluetooth device embedded in it.
The European Commission is currently investigating whether such toys are in violation of EU laws on data protection.
With virtually every consumer household product joining the ‘smart’ age, it’s unsurprising that toys have followed suit. However, the drive to ‘get connected’ shouldn’t come at the cost of privacy, security and safety.
Which? feels that more care needs to be taken when designing smart gadgets and toys, and the security and privacy of the user should not be left as afterthoughts. In the case of CloudPets, for example, some sort of authentication system could have been implemented when connecting via Bluetooth to increase security.
We repeatedly tried to contact CloudPets’ maker, Spiral Toys, about our findings (including directly emailing its CEO), but had received no response at the time of publication. Security researcher Paul Stone, of ContextIS, who originally exposed the critical flaw last year, has also previously been unable to get a response from the company.