Digital Exorcism: Fighting IoT Poltergeists, Cyber Puppeteering and other evil forms of the digital transformation

“ Any sufficiently advanced technology is indistinguishable from magic" - Profiles of The Future - Arthur C. Clarke 1961

An inoffensive Teddy Bear meant to be your kids' best friend starts to speak with a strange voice and open your life and your family’s exposed to evil in many forms.

I haven’t seen that on the Creepy B-Movie festival or an independent film from a festival. CloudPets are plush toys with the ability to connect through Bluetooth to phones and allow the kids' family to send messages that will be “said” by the toy. What could go wrong? Approximately 800,000 records of customer credentials as well allegedly 2,000,000 voice recordings were exposed in what I call " one of the first documented cases of Digital Poltergeist!"

Quoting the original article “ Since Christmas day of last year and at least until the first week of January, Spiral Toys left customer data of its CloudPets brand on a database that wasn't behind a firewall or password-protected. The MongoDB was easy to find using Shodan, a search engine makes it easy to find unprotected websites and servers, according to several security researchers who found and inspected the data” . The details just get worse when you realize that at some point someone " hijacked" the database and all the data and encrypted it demanding ransom. Not once. Twice (by apparently two different groups or incidents).  

I have recently written about the need for a review of our security practices to consider new threat vectors either on consumer or enterprise devices and cloud services in an article, but it is interesting to see that we have to pair our speed of digital transformation with new ways to think about security. 

On the CloudPets case, understanding the technical aspects of the leak makes us question what other cheap services, tools and toys that are internet connected have poor design in terms of security. Even without the technical details, we can validate the idea of rethinking the challenges, threats but also the mitigation and better security planning taking the cloud and device world into consideration.

Think of a creepy toy and compare with possibilities like this one here (that in this case was apparently a joke before the real incident). But don't be surprised to see real cases like "Hey @CloudPets someone named S. Atan keeps sending messages to my kids' cloud pets and the app won't let me block him. Please help." This would sound as Digital Possession to me!

Cars are another example. In addition to hacks like this and this, we should have best practices for the “ right to be forgotten” by our new digital connected cars and other devices.

I don’t think we have coined any terms for these new kinds of threats, so this is my lighter take is to describe some of these new challenges with my own definitions. I promise to use the de facto terms for these phenomena when a “ mainstream” naming convention appears, but here are some interesting ideas to help protect you against some new forms of threats

Digitally Exorcising your CloudPets

a)    Change your password on the service and in every service you might have reused the same passwords. In popular services like Outlook.com/Hotmail and other social and corporate accounts, consider Multi Factor Authentication.

b)    Monitor closely the email account used for the CloudPets (or similar affected) service

c)    Keep an eye on the pet (ears too…) 

d)   Have I been pwned? Good reference to track when something goes really wrong (or you suspect so)  https://haveibeenpwned.com/

Fighting IoT Poltergeits

-       Remember to erase your “ home” location and other saved data in your GPS, directory sync’ ed from your phone nefore you when you sell your car

-       Same for connected home: Think twice when buying that used smart thermostat or other IoT pieces

-       Ensure you protect your wifi passwords (WPS is a good idea) and credentials, never reuse passwords

-       Ensure you applly the latest patches and firmware versions provided by the manufacturer – Not all IoT and Devices are equal!

-       “ Phone home” - Look at how your IoT devices provide remote / cloud connection: Many devices “ phone home” or require uPnP support on the router to expose your devices for remote access. Be responsible and careful

-       Connected services: Many IoT allow connecting different services (ex: IFTT, social network accounts) – Ensure you limit this access and always keep good practices like not reusing passwords and limiting the scope of service affinity

CyberPupeteering

          If you have a possessed plush toy, consider cyber exorcising it as recommended to the CloudPets possession episode. If the malware or entity has taken over your digital assistant, some additional protection measures are described in my previous article

And last, some more links that can be useful:

SkyLexaSirinetana: Why your new assistant may kill you

Latest on CloudPets and their Privacy Policy: CloudPets Privacy Policy