SPICE Pleased Cloudpets Toys Removed from Amazon & eBay

The cute, cuddly, fluffy children’s toys that Security & Privacy in Informatics, Computing, and Engineering (SPICE) have been teaching parents, educators, and children the dangers about are being pulled off the virtual shelves of Amazon and Ebay after a review by Mozilla. CloudPets™ line of children’s toys — which are subject to data theft, audio hijacking, and location finding by hackers — have been used as a research target for Capstone students, as well as an example in outreach to audiences ranging from families to government offices.

SPICE’s goals are research, education, and outreach. With our Internet of Things (IoT) research center, students are able to learn the skills of hacking, targeting home devices for attack, evaluating how design could be improved, and informing industry and academia of our findings. Additionally, we use many of these devices in outreach events to teach the public how they can evaluate their own risk with devices in their ecosystem, as well as skills they can use to mitigate their exposure to risk.

CloudPets™ toys are sold as a communications toy that allows children to send and receive audio messages with a parent who is far away. Targeted at military families, SPICE began research on them in 2017 as a part of a year long undergraduate Capstone research project. The students found a myriad of security failings with the devices, based on their own research as well as research done at other schools. Beyond the loss of children’s data in one of the largest failures in proper online data storage, the toys also rely on insecure communications that any person with a web browser can mimic. The Capstone team built a simple application that could find the location of a toy, take it over without permission, and send messages to a child under the guise of being from their parent. Given the risks of a social attack, the toy is simply unsafe for use.

Despite many attempts by various researchers to have the toy improved, the manufacturer has not responded either with repairs or with communications. As such, the toy is not repairable and stands with classroom examples of IoT device which cannot be mitigated like those whose manufacturer is out of business. Short of removing them from store shelves, not much can be done other than education, as explained by IoT house manager, Joshua Streiff:

In class we ask the ethical question – what to do about these toys? If the manufacturer will not fix them, or even answer emails, then what can we do?  We could show the problem to everyone on Amazon reviews demonstrating the actual hack which might scare some people away from buying the product, but at the same time it would only advertise the hack for those who might implement it against a child in the real world. Ethical disclosure and manufacturer responsibility is the cornerstone to a safer ecosystem, but CloudPets won’t be a good community member.

IU’s Cloudpets toys have been used in outreach events around the country. From on campus lectures, to international conferences such as Women in CyberSecurity, to educator conferences such as University of Indiana’s K8: Flipping the Switch, the Cloudpets have taken the stage as an example of the kind of threat parents, teachers, and children need to be aware of in their lives. While the toys are cute, children have to understand the threats they can pose and have personal mitigation plans for dealing with them. Our talk teaches families how to purchase for security, or simply deal with these devices as they enter our homes as gifts from grandparents. Education is a powerful tool, as one parent reported to us:

My daughter wants one, even after attending the lecture on them. I told her it was an unsafe product. She responded with a well laid out plan for mitigating the dangers of the product including powering off, access control, and being aware that the audio could be from any source. Her list was superb and covered the threat list. She will do well.

In this case, SPICE is very happy to see that the products will no longer be available through Amazon and eBay. It is our hope that this will force Cloudpets into improving the security on their devices as well as create a strong incentive for other toy manufacturers to design for security, to respond to disclosure, and to be full partners in the IoT market.