Toy Story – Blame Mongo

Before Christmas, we expressed concern about the potential for kids’ toys that record voice and video would be ripe for access by the bad guys.

As you may have seen in the press this week, this extremely worrying set of circumstances has actually happened and in a fairly major way.

In this case, the issue was not with the devices themselves – CloudPets toys incorporate a microphone and speakers, which enable messages to be spoken to the kid from friends and relatives and vice-versa from the kid.

Once recorded, the ‘oh so cute’ messages are uploaded to the no infamous ‘cloud’ (in this case special cloud agent to be stored for who knows how long. Of course, you would expect that the administrator of this system might take the security of messages between children, other children and grown ups extremely serious, not least for the reputational damage any leak would cause to the fluff factory.

You would be wrong. The details of 820,000 CloudPets users and all of their saved voice and video were stored in a MongoDB database, which was completely unprotected. The contents were copied then deleted and the vendor ransomed. More worryingly, the content appears to have been doing the rounds on the Dark Web (mwahahaha), let’s see who gets blackmailed next…

Every security outfit and blogger on the planet has been reporting about attacks on MongoDB (preceded by attacks on ELK stacks) with default (unsecured) configurations and it beggars belief that an organisation responsible for kids’ data would be so slack. You can read a full report here.

Needless to say, we advise anybody running a MongoDB installation to secure it. The MongoDB techs have a lovely security checklist, which may be a good idea to read through.

In other news this week, Google is at it again, releasing details of a vulnerability in Windows Internet Explorer which can at the very least cause the browser to crash and quite possibly be used for more nefarious purposes. Apparently, Google informed Microsoft about the bug back in November and, guess what, Microsoft has taken more than 90 days to fix the issue and fallen foul of Google’s self-imposed 90-day disclosure rule.

As we have previously stated we are not sure if this 90-day business is a good idea or just plain reckless. We do know that our pal Graham Cluley thinks it is rubbish.

Will the day come when Google publishes a vulnerability and that same vulnerability (perhaps on a Google developer’s laptop, who knows?) is used to hack Google? That would make for a very interesting blog!

If you would like to discuss MongoDB, children’s toys or anything security related, please contact us on: [email protected] or call 020 7517 3900.