INSUBCONTINENT EXCLUSIVE:
Image copyrightSpiral ToysImage caption
Owners controlled audio recordings by pressing the toys' paws
Amazon and eBay are among retailers pulling a brand of cuddly smart toys from sale after warnings they pose a cyber-security threat.Concerns
were raised about CloudPets products in February 2017 after it was discovered that millions of owners' voice recordings were being stored
online unprotected.Manufacturer Spiral Toys claimed to have taken "swift action".But subsequent research commissioned by Mozilla found other
vulnerabilities.The devices' California-based maker has not responded to requests for comment.One independent expert told the
TheIndianSubcontinent it was "great to see retailers acting responsibly", but added she wished they had done so sooner."It seems that
refusing to sell products that threaten customers' security and privacy is the only way to make designers and manufacturers of these
products care about these risks," said Angela Sasse, professor of human-centred technology at University College London."The fact that
Mozilla had to shame the retailers into this action, more than a year after vulnerabilities were first discovered, is not great."Hopefully
in future retailers will take such action as soon as shortcomings are demonstrated."Hackable toysThe CloudPets range includes a number of
soft animal toys that are fitted with a microphone and speaker.These allow children to record their own messages and play back the voice
recordings of friends and family members, which are uploaded to the net via a Bluetooth-connected app.Image copyrightSpiral ToysImage
caption
The toys are likely to have appealed to young children
Although Spiral Pets eventually addressed
the fact that many recordings had been exposed online, security researcher Troy Hunt revealed last year that it had done so only after being
contacted four times about the issue.In the meantime, he added, the data had been accessed multiple times by unauthorised parties, and had
even been held for ransom, before the matter was resolved.The same month, a London-based company, Context Information Security, revealed it
had found another flaw with the toys that meant hackers could trigger their own recordings in order to spy on owners."Anyone can connect to
the toy, as long as it is switched on and not currently connected to anything else," Context reported."Bluetooth LE typically has a range of
about 10m to 30m [33ft to 98ft], so someone standing outside your house could easily connect to the toy, upload audio recordings, and
receive audio from the microphone."The non-profit Mozilla Foundation - which develops the Firefox browser - subsequently commissioned a
German research company to carry out further tests this year.Cure53 found that the second flaw had not been fixed.It reported a further
problem: the toys' app referred users to a tutorial website whose domain registration had lapsed.There was a risk, Cure53 said, that hackers
could obtain the web address and use it to mount further attacks on families.Image copyrightCure53Image caption
Cure53
tested several of the toys in its Berlin labs
"I'm a mother of two young kids," Ashley Boyd, vice-president of advocacy at
Mozilla told the TheIndianSubcontinent."In a world where data leaks and breaches are becoming more routine and products like CloudPets can
sit on store shelves, I'm increasingly worried about my kids' privacy and security."Duty of careMozilla shared the findings with digital
rights group the Electronic Frontier Foundation, which wrote a letter to US retailers selling the items."What CloudPets demonstrates is the
potential privacy risks that even a toy with limited connectivity can pose," it said."That's why we also urge you to consider putting in
place new or improved systems to ensure that products you stock, especially those that collect the information of children, have basic
practices in place to respect the trust that consumers place in them."Although the toys no longer appear on Amazon's US store, they are
still listed on its UK site
Image copyrightAmazonImage caption
Amazon's UK site still listed the toys after they had been removed from its US store
Amazon declined to comment.Walmart and Target are among other US companies reported to be halting sales.UK stores Tesco and
The Entertainer also used to stock CloudPets toys, but both appear to have stopped doing so after the earlier reports.The
TheIndianSubcontinent has also contacted Google and Apple, who continue to offer CloudPets' apps on their stores.Both said they were looking
