Amazon and eBay remove CloudPets smart toys from sale

June 8, 2018


Concerns were raised regarding CloudPets items in February 2017 after it was found that millions of proprietors’ voice recordings were being stowed online unguarded.

Producer Spiral Toys claimed to have taken “quick action”.

However subsequent research ordered by Mozilla found other weaknesses.

The appliances’ California-based producer has not replied to requests for a statement.

One impartial expert told it was “good to see traders acting sensibly”, but added she desired they had done so quicker.

“It appears that declining to sell products that endanger clients’ safety and secrecy is the only way to make designers and producers of these products care about these dangers,” said Angela Sasse, professor of human-centered technology at University College London.

“The truth that Mozilla had to disgrace the traders into this action, more than a year after weaknesses were first found, isn’t great.”

“Optimistically in future traders will take such action as soon as inadequacies are confirmed.”

Hackable dolls

The CloudPets variety includes several soft animal toys that are installed with a speaker and microphone.

These let kids tape their own messages and play back the voice records of family members and friends, which are uploaded to the net through a Bluetooth-connected app.


Even though Spiral Pets ultimately tackled the fact that a lot of recordings had been exposed online, safety scientist Troy Hunt disclosed previous year that it had done so just after being contacted four times regarding the problem.

In the meantime, he added, the data had been retrieved several times by illegal parties and had even been held for payment, before the problem was solved.


The same month, a London-based firm, Context Information Security, disclosed it had found one more fault with the toys that meant hackers might trigger their own recordings to spy on proprietors.

“Anybody can link to the toy, as long as it is switched on and not presently linked to anything else,” Context informed.

“Bluetooth LE usually has a span of about 10m to 30m [33ft to 98ft], so somebody standing outside your house might easily link to the toy, upload audio recordings, and get audio from the microphone.”

The non-profit Mozilla Foundation – which improves the Firefox browser – then hired a German research firm to perform more tests this year.

Cure53 found that the second fault had not been repaired.

It informed an additional issue: the toys’ app mentioned users to a tutorial website whose domain registration had expired.

There was a danger, Cure53 said, that hackers might get the web address and use it to mount more attacks on households.

“In a world where breaches and data leaks are becoming more usual and products similar to CloudPets can sit on store shelves, I am increasingly concerned about my children’s secrecy and safety.”