Amazon and eBay are Pulling Listings For CloudPets Smart Toys Over Security Concerns

By Tom Pritchard on at

As someone who doesn't have children and grew up in a time where people couldn't even imagine the concept of toys that could be hacked remotely, I'm not sure I understand why smart toys are a thing. I understand toy companies would want to develop high tech playthings to try and flog to parents for outlandish prices, but given how many of them have god-awful security I don't really get why parents are still buying them.

Retailers have started paying attention to those issues, and the latest stock-pull comes from Amazon and eBay who have removed listings for CloudPets smart toys because of concerns over security.

Those concerns were first raised back in February of last year, after it was discovered the company for storing recordings of the toys' owners on an unsecured server. Recordings that were later exposed online. Spiral Toys claims to have taken action, though cyber security researcher Troy Hunt claims it took four attempts at communication before anything was done.

The problems didn't end there, either. Research from Mozilla found even more security holes in CloudPets products, with London-based Context Information Security discovering it was possible for anyone to connect to the toys via Bluetooth and record what was happening around the toy - provided they weren't connected to anything else at the time. Bluetooth doesn't have a huge range, but it did mean someone could stand outside your house and listen to what was happening inside. According to Cure53, who were commissioned by Mozilla to investigate earlier this year, that flaw hadn't been fixed. it also noted that CloudPets' tutorial was hosted on a website with a lapsed domain, which could easily be taken over and use to exploit existing security holes.

The toys were also mentioned in Which?'s report warning retailers about stocking connected toys with proven security issues last November. EFF also wrote to US retailers about the problems after receiving Mozilla's findings. Now it seems Amazon and eBay are taking things seriously, though the BBC notes both products have only been pulled from eBay in the US and Amazon in the US and UK.

They're not the first retailers to pull the toys either. Over in the US both Walmart and Target pulled CloudPets toys from sale, as did Tesco and The Entertainer here in the UK.

So there's just another reminder that parents should think twice before buying their kids connected toys, and at the very least should do some research to make sure there aren't any massive security holes that could put them or their kids at risk. Or better yet, just don't buy them. Kids will play with anything. [BBC News]