Vulnerabilities have been found in a Bluetooth CloudPets Unicorn toy by researchers at Context Information Security. They were able to take control of the toy’s voice recording functionality. The CloudPets range of cuddly toys uses Bluetooth Low Energy (LE) to communicate with a smartphone app, allowing parents to record an audio messages on their phone and send it to their child’s toy, or vice versa.
Context researchers were able to connect to the CloudPets Unicorn via Bluetooth LE, upload a recording that they had made and make the toy playback the recording. They were also able to trigger the toy’s recording functionality to retrieve and play back audio it had recorded, effectively turning the toy into a remote surveillance device. Bluetooth LE has a range of about 10-30m, so anyone standing outside a house could easily connect to a toy inside.
“While the purpose of this project was to have some fun hacking a Bluetooth Unicorn to explore how Bluetooth LE is used in real world projects, the security implications are also important to note,” said Paul Stone, Principal Researcher at Context. “The toy does not use any built-in Bluetooth security features such as pairing that would have enabled some authentication between device and phone. In our experience, many Bluetooth LE devices intended for use with smartphones don’t bother with pairing in order to simplify user experience. In the meantime, if you own one of these toys, or any other IoT or connected toy, we would recommend keeping it turned off when it is not in use.”
This latest disclosure by Context follows the revelation this week by another researcher that Spiral Toys, the maker of CloudPets, exposed more than 2 million voice recordings of children and parents, as well as email addresses and passwords for more than 800,000 accounts. The recordings and data were stored in a publicly accessible database that wasn't protected by a password or placed behind a firewall.