US Senator snaps on glove, probes insecure IoT toymaker CloudPets

'Will we do this the easy way, or will we do it the hard way?'

Spiral Toys, makers of the insecure Bluetooth-connected stuffed animals dubbed CloudPets, is being grilled for information by a US Senator.

On Tuesday, Bill Nelson (D-FL), ranking member of the Senate's Committee on Commerce, Science and Transportation, sent Spiral ten questions demanding answers about the security of its voice-messaging cuddly toys.

CloudPets was earlier caught running an unsecured MongoDB installation, completely open to the world. That exposed hundreds of thousands of user account records – including email addresses and easily crackable hashed passwords – along with links to as many as two million voice recordings children and parents had sent each other via the toys and their iOS and Android app.

Within a day, it also emerged that the toys' microphones could be accessed by nearby snoops, via Spiral's poorly secured implementation of the Web Bluetooth API.

Nelson wants Spiral to explain its database leak in step-by-step detail, whether there's any identity theft protection in place, and what control people have over data collected by their CloudPets.

He also wants to know whether the Children's Online Privacy Protection Act applies to Spiral Toys' operation, details about its data collection and who data is shared with, whether any other breaches have happened in the past two years, whether consumers have the chance to delete their data, and more.

The letter came to light via Microsoft MVP Troy Hunt, who investigated the MongoDB leak:

The letter may reveal some actual useful information from California-based Spiral Toys. The biz sent a disingenuous statement to journalists in February. Back then it wrongly claimed the user data was “password encrypted,” and it was only a staging server that was compromised (it just happened to hold 500,000-plus production records). ®

Send us news

The silicon goldrush is coming, but chip demand is evaporating

Leave it to the economy to throw another wrench into the semiconductor supply chain

Microwaved fish could help scientists create sustainable LEDs

Supermaterial created from heated scales. Sorry about the smell

You'll soon be able to ghost a WhatsApp group without making everyone hate you

Well, until they find out that you've left, but at least they won't be immediately notified of your every move

Google's bug bounty boss: Finding and patching vulns? 'Totally useless'

Disclosing exploits, however, will earn you $100k

Microsoft unveils native Arm64 support in the .NET Framework

Older operating systems excluded from the 4.8.1 release party

Elon Musk sells Tesla shares worth $6.9b as Twitter lawsuit looms

Market immediately reacts as tech titan looks to free up cash for 'unlikely' Twitter deal

Cloudflare: Someone tried to pull the Twilio phishing tactic on us too

Attack was foiled by content delivery network's hardware security keys

Microsoft asks staff to think twice before submitting expenses

Business travel, outside training, and picnic overheads all under watchful gaze of Redmond's accountants

Polaris supercomputer boots up, paves way for Aurora exascale system

Researchers cue up AI sims, code and workloads for Argonne Lab's most powerful beast

The sins of OneDrive as Microsoft's cloud storage service turns 15

SkyDrive? Placeholders? Outages? Yes, it's all gone swimmingly

Foxconn will have to forget about investing in Tsinghua Unigroup

International relations are hot as chips, and Taiwan cannot afford to empower China

Businesses should dump Windows for the Linux desktop

It makes perfect sense for enterprises as well as enthusiasts. Just ask GitLab