US Senator snaps on glove, probes insecure IoT toymaker CloudPets

Spiral Toys, makers of the insecure Bluetooth-connected stuffed animals dubbed CloudPets, is being grilled for information by a US Senator.

On Tuesday, Bill Nelson (D-FL), ranking member of the Senate's Committee on Commerce, Science and Transportation, sent Spiral ten questions demanding answers about the security of its voice-messaging cuddly toys.

CloudPets was earlier caught running an unsecured MongoDB installation, completely open to the world. That exposed hundreds of thousands of user account records – including email addresses and easily crackable hashed passwords – along with links to as many as two million voice recordings children and parents had sent each other via the toys and their iOS and Android app.

Within a day, it also emerged that the toys' microphones could be accessed by nearby snoops, via Spiral's poorly secured implementation of the Web Bluetooth API.

Nelson wants Spiral to explain its database leak in step-by-step detail, whether there's any identity theft protection in place, and what control people have over data collected by their CloudPets.

He also wants to know whether the Children's Online Privacy Protection Act applies to Spiral Toys' operation, details about its data collection and who data is shared with, whether any other breaches have happened in the past two years, whether consumers have the chance to delete their data, and more.

The letter came to light via Microsoft MVP Troy Hunt, who investigated the MongoDB leak:

The letter may reveal some actual useful information from California-based Spiral Toys. The biz sent a disingenuous statement to journalists in February. Back then it wrongly claimed the user data was “password encrypted,” and it was only a staging server that was compromised (it just happened to hold 500,000-plus production records). ®