In November last year, Consumer rights group Which? warned people about serious security loopholes in popular Bluetooth-enabled toys such as the Furby Connect, I-Que Intelligent Robot, Toy-fi Teddy, and CloudPets that could pose a major risk to the privacy and safety of children.

The group noted that a range of Bluetooth-enabled toys named CloudPets featured serious security issues that allowed malicious actors to hack them and make them play their own voice messages. A kitten version of CloudPets was previously hacked and made to order its own cat food from a nearby Amazon Echo, and a researcher was able to hack into the toy from outside the street.

“More care needs to be taken when designing smart gadgets and toys, and the security and privacy of the user should not be left as afterthoughts. In the case of CloudPets, for example, some sort of authentication system could have been implemented when connecting via Bluetooth to increase security,” said Which?

According to several reports, Amazon and eBay have decided to pull CloudPets from their online stores citing security concerns. The decision was taken after research carried out by the likes of ContextIS and Troy Hunt exposed security vulnerabilities in CloudPets products.

Commenting on the pulling of CloudPets products by Amazon and eBay, David Kennerley, Director of Threat Research at Webroot, said that it’s great to see retailers take a stand against poorly designed and configured IoT devices.

“IoT devices have been rapidly embraced by the consumer market and enterprises alike. Having an array of connected devices by their very nature increases the potential attack surface area of the network, that when compromised could grant an attacker access sensitive and highly valuable data. This is the same regardless of whether the device is in a large enterprise or your living room.

“Manufacturers of these devices have a responsibility to businesses and customers to ensure that security is built in during the development phase, with appropriate controls in place regarding the processing, storing and transit of end user data, whether remotely or locally. Mechanisms should be implemented that easily allow updates to be applied, while ensuring devices are easy to security harden. For example, enforcing the mandatory changing of default passwords.

“End users need to do their research, understanding the security risks associated with a particular IoT product, where possible. Once in place, the maintenance of the device must be prioritised to ensure ongoing resilience. IoT isn’t something you can setup once and forget,” he said.

You may also like...

Keep Up To Date - Subscribe To Our Email Newsletter Today

Get the latest industry news direct to your inbox on all your devices.

We may use your information to send you details about goods and services which we feel may be of interest to you. We will process your data in accordance with our Privacy Policy as displayed on our parent website