As the world learns of its embarrassingly leaky customer database, internet-connected cuddly toy maker CloudPets is under further scrutiny. This time for not securing its gizmos against remote exploitation via the Bluetooth Web API.
Basically, it is possible for a webpage to connect to CloudPets plushie, via Bluetooth in the computer or handheld viewing the page, without any authentication, and start controlling the gadget and recording from its builtin microphone. You can also play sounds through it. Here's an example of such a webpage that can take over a CloudPets gizmo; the browser opening the page has to be within Bluetooth range of the CloudPets toy for it to work. You must also allow the browser to pair with the cuddly electronics.
It is possible, for example, to use this API, with CloudPets' insecure implementation, to snoop on families from outside their house, or from the other side of a wall. Just pull out your phone, open the webpage, agree to pair it with the nearby toy, and listen in.
Security analyst and W3C invited expert Lucasz Olejnik has warned last year of the dangers to privacy caused by software and hardware mishandling connections from the web to devices via Bluetooth. And CloudPets seems to have put its foot right in it.
On Tuesday, infosec research outfit Context Information Security revealed it was already looking at CloudPets' use of Web Bluetooth before news broke of the toymaker's inability to secure more than two million voice recordings from its mic'd-up stuffed animals. Now, Context IS has brought forward the publication of its study, pouring fuel on the fire.
The team's conclusion is that security of the Bluetooth Web API implementation in the CloudPets devices is inadequate.
“When first setting up the toy using the official CloudPets app, you have to press the paw button to 'confirm' the setup. I initially thought this might be some sort of security mechanism, but it turns out this isn't required at all by the toy itself,” report author Paul Stone writes.
“Anyone can connect to the toy, as long as it is switched on and not currently connected to anything else. Bluetooth LE typically has a range of about 10 - 30 meters, so someone standing outside your house could easily connect to the toy, upload audio recordings, and receive audio from the microphone.”
Stone is also unimpressed with the toys' firmware handling: “The CloudPets app performs a firmware update when you first set up the toy, and the firmware files are included in the APK. The firmware is not signed or encrypted - it's only validated using a CRC16 checksum. Therefore it would be perfectly possible to remotely modify the toy's firmware.”
Here's a demo of Stone taking over CloudPets stuffed toy from a webpage, rather than the official app:
Olejnik seems grimly vindicated:
Stone has put the code for his bear-busting proof-of-concept on GitHub for anyone to check out. He also said he has been trying to warn CloudPets of the security blunders since October but has since given up after hitting silence. ®