Walmart, Target, and Amazon have pulled CloudPets’ connected teddy bears from their online stores over security concerns.
The decision comes a year after researchers first uncovered security flaws in the toys, which allow children to send and receive audio messages with the help of the cloud and an iOS or Android app.
In a blog post published last February, Troy Hunt said that the toys had leaked the voice recordings of more than 2 million children and parents, as well as email addresses and password information associated with more than 800,000 accounts.
Researchers recently discovered that the security issues in CloudPets still have not been fixed, prompting the Electronic Frontier Foundation (EFF) to pen a letter to Walmart, Target, and Amazon voicing concern that the smart toys were still available for purchase.
Insecure online database
In 2017, CloudPets’ database was accessed multiple times by hackers; the information stored in CloudPets’ database was held for ransom by cybercriminals at least twice.
"What we see with CloudPets is a breach of trust with its users. We understand that connected devices can be complex and that sometimes, mistakes happen. However the issues with the CloudPets toy demonstrate a track record of failing to protect consumers,” the EFF wrote in their letter.
“Despite the fact that security risks have been known publicly for over a year and that technical solutions are available, Spiral Toys has not rectified these problems. Security audits, instituting a vulnerability policy and also ensuring that their Bluetooth uses authentication are some of the key steps we’d like to see Spiral Toys take to help rectify this breach of trust,” the group said.
Removed from online marketplaces
Last week, Walmart and Target stopped selling the internet-connected toys. Amazon followed suit on Tuesday morning after being contacted by Mozilla, which offered research highlighting the vulnerabilities of CloudPets.
“In a world where data leaks are becoming more routine and products like CloudPets still sit on store shelves, I’m increasingly worried about my kids’ privacy and security,” Ashley Boyd, Mozilla’s vice president of advocacy, said in a statement.
Working with cybersecurity research firm Cure53, Mozilla found that the Bluetooth vulnerabilities found in CloudPets toys back in 2017 are still present.
"The company clearly does not care about their users' security and privacy being violated and makes no effort to respond to well-meaning attack reports, further facilitating and inviting malicious actions against their users," the researchers said.