It's been more than a year since researchers discovered security problems in CloudPets' internet-connected toys. Mozilla and Cure53 recently found that none of those issues have been fixed, which prompted Walmart, Target, and now Amazon to pull the toys from their online stores.
CloudPets toys let family members play games with, sing lullabies to, and record voice messages for the children who own them. All of those features require an internet connection, naturally, as well as accounts made via the company's mobile apps. Yet researchers discovered in 2017 that CloudPets failed to properly secure the Amazon S3 databases used to handle all this data and recommended the use of weak passwords.
At the time, "Have I Been Pwned?" operator Troy Hunt said in a blog post that at least 821,000 people had their information compromised because of this insecure setup, and that many people had accessed a database containing this information. Researchers also found that attackers within Bluetooth range of a CloudPets toy could access it and record audio from or send messages to it. This problem still has not been fixed.
In a letter to Walmart, Target, and Amazon, the EFF laid out its concerns about CloudPets' response (or lack thereof) to these issues:
"What we see with CloudPets is a breach of trust with its users. We understand that connected devices can be complex and that sometimes, mistakes happen. However the issues with the CloudPets toy demonstrate a track record of failing to protect consumers. Despite the fact that security risks have been known publicly for over a year and that technical solutions are available, Spiral Toys has not rectified these problems. Security audits, instituting a vulnerability policy and also ensuring that their Bluetooth uses authentication are some of the key steps we’d like to see Spiral Toys take to help rectify this breach of trust."
It seems that retailers paid heed to these warnings. CNET reported that Amazon joined Walmart and Target in pulling CloudPets' toys from its online stores this week. Links to the toys still show up in searches for all three storefronts, but they lead to error pages or the toy section's web page. While this won't help people who have already purchased CloudPets toys, it should prevent the insecure products from spreading further.
And who knows--maybe being pulled from three of the biggest online retailers' websites is enough to convince CloudPets to take its products' security more seriously. We doubt it, given that the company's had more than a year to solve these problems, but at least there's a chance.
