The Cloud is Listening (And Permeable)
February 27, 2017 1:59 PM   Subscribe

Data from connected CloudPets teddy bears leaked and ransomed, exposing kids' voice messages [Parents] don't necessarily realise that every one of those recordings – those intimate, heartfelt, extremely personal recordings – between a parent and their child is stored as an audio file on the web. They certainly wouldn't realise that in CloudPets' case, that data was stored in a MongoDB that was in a publicly facing network segment without any authentication required and had been indexed by Shodan (a popular search engine for finding connected things). Unfortunately, things only went downhill from there.
posted by CrystalDave (65 comments total) 38 users marked this as a favorite
 
The 'S' in IoT stands for 'security'.
posted by pompomtom at 2:11 PM on February 27 [131 favorites]


Unfortunately, things only went downhill from there.

Woah. I did not expect this level of downhill-ed-ness.
posted by Nonsteroidal Anti-Inflammatory Drug at 2:12 PM on February 27 [3 favorites]


Internet of Shit, indeed.
posted by SansPoint at 2:13 PM on February 27 [8 favorites]


It is, unfortunately, a great example of many different Internet Security themes coming together, IoT awfulness, the lack of firewalling, MongoDB being insecure by default, lack of monitoring, and so on. Depressing, but useful, thanks for posting.
posted by DancingYear at 2:16 PM on February 27 [1 favorite]


Is it wrong that I want to get one of these for myself? It's only because I want to record my grocery list and then walk around the store with a talking stuffed animal asking it to remind me "what else is on our list again?" and having it respond.
posted by BigHeartedGuy at 2:17 PM on February 27 [46 favorites]


It is, unfortunately, a great example of many different Internet Security themes coming together

....as well as of completely pointless Internet enabling of a classic toy....I mean, you could even go halfway....you want your child to hear Daddy talking out of the bear? A sound chip, like in greeting cards, could do that. You want a 3 year old wailing in your ear at 2 AM while you reboot the wireless router? Cloudpets has you covered!
posted by thelonius at 2:21 PM on February 27 [6 favorites]


I have to say, the Internet of Shit is truly the wet dream of STASI agents. Why bothering to break in, install a bug on the light switches and the telephone without drawing any attention, when all you need is to convince people to have microphones and cameras on poorly designed devices because FUTURE?
posted by lmfsilva at 2:25 PM on February 27 [25 favorites]


Every time I see an article like this, in my mind there is a giant Wheel of Fortune prize wheel spinning, with the prizes being "Usable for massive DDoS attacks", "Remote exploitable as a listening / surveillance device", "Discloses your WiFi password", "Uses a grossly insecure cloud back-end", "Allows life-sustaining/mission critical device X to be shutdown", etc. Luckily no one has hit on "destroys all life as we know it"...yet.
posted by inflatablekiwi at 2:28 PM on February 27 [16 favorites]


all you need is to convince people to have microphones and cameras on poorly designed devices because FUTURE?

but i saw it on star trek once

i mean, $607.98 and my privacy is a small price to pay to be able to do this amirite
posted by entropicamericana at 2:31 PM on February 27 [8 favorites]


Wow.

I assume this is why @SwiftOnSecurity has been yelling at MongoDB all week.
posted by PMdixon at 2:31 PM on February 27 [2 favorites]


The latest cstross novel coins the apt term "Internet of Things That Leak Personal Information"
posted by figurant at 2:37 PM on February 27 [5 favorites]


Yowzers.
posted by cortex at 2:48 PM on February 27


Previous discussion of the Hello Barbie toy also mentioned in the main article as having similar problems.

Some days I want to just go home and shut off my house from the internet.
posted by nubs at 2:53 PM on February 27 [2 favorites]


we thought the paranoid folks were mentally ill but I guess they got the last laugh
posted by AFABulous at 3:01 PM on February 27 [4 favorites]


Yes. We did.
posted by Splunge at 3:06 PM on February 27 [8 favorites]


data was stored in a MongoDB that was in a publicly facing network segment without any authentication required and had been indexed by Shodan

Do you remember SHODAN? She remembers you, i-i-I-i-ins-s-sects.
posted by Doktor Zed at 3:07 PM on February 27 [11 favorites]


Germany's Bundessnetzagentur just banned a voice recognition doll, citing privacy and surveillance issues.
The heart of the problem, Homann says, is that Cayla looks like an everyday doll and gives no notice that it collects and transmits everything it hears — in this case, to a voice-recognition company in the U.S. whose other customers include intelligence agencies.
posted by zamboni at 3:13 PM on February 27 [12 favorites]


The heart of the problem, Homann says, is that Cayla looks like an everyday doll and gives no notice that it collects and transmits everything it hears — in this case, to a voice-recognition company in the U.S. whose other customers include intelligence agencies.

Do you think, in the meetings where they brainstorm different spying strategies, they just laugh their asses off?

It's somehow so much worse if they don't.
posted by schadenfrau at 3:26 PM on February 27 [4 favorites]


In "The Lives Of Others" you had to have a man in an attic and a break in team. I am not surprised that it is Germany that recognizes the threat that all of this poses.
posted by Pembquist at 3:39 PM on February 27 [7 favorites]


So the company basically cratered but left their systems running so that the toys already in the channel would work long enough to avoid too many returns? Hell's not hot enough for people like this.
posted by wenestvedt at 3:57 PM on February 27 [2 favorites]


So, this article is made way worse because I have the cloud-to-butt extension installed on chrome, thanks to Metafilter.
posted by Jon_Evil at 3:59 PM on February 27 [7 favorites]


Do you remember SHODAN? She remembers you, i-i-I-i-ins-s-sects.

L-l-l-l-look at you, homeowner.
posted by mhoye at 4:06 PM on February 27 [5 favorites]


From the makers of Snowden, comes the followup: Ruxpin.
posted by blueberry at 4:17 PM on February 27 [25 favorites]


So, this article is made way worse

Worse... or better?
posted by zamboni at 4:22 PM on February 27 [2 favorites]


Incredible. While I appreciate the concerned tone of the article, if I were this author doing the research I'd be balancing my concern with popcorn-eating-oh-man-I'm-watching-these-idiots-get-hacked-and-ransomed-in-real-time snickering.
posted by Existential Dread at 4:43 PM on February 27 [2 favorites]


if I were this author doing the research I'd be balancing my concern with popcorn-eating-oh-man-I'm-watching-these-idiots-get-hacked-and-ransomed-in-real-time snickering.

I'm not even the author, and that's what I'm doing.
posted by rpfields at 4:51 PM on February 27


Why bothering to break in...when all you need is to convince people to have microphones and cameras on poorly designed devices because FUTURE?

ahem. mobile phones.
posted by j_curiouser at 5:06 PM on February 27 [5 favorites]


Recently I upgraded from an iPhone 5 to a 7+. The dude at the ATT store was so surprised that I didn't use cloud storage. Sure the security for iCloud storage is way better than this. But it still gives me pause. The cloud, in general, is not completely secure.
posted by Splunge at 5:13 PM on February 27 [1 favorite]


The cloud, in general, is not completely secure.

There is no such thing as completely secure.
posted by Slothrup at 5:30 PM on February 27 [12 favorites]


It seems like they hired someone to do the software development work who left the project before it was actually done. Then, instead of having the work finished, they just used the prototype or whatever as their final product and shipped it.

I'm extrapolating this from the confusing fact that they had "test" and "staging" databases, (which signals some experience on the part of the devs) but no production database, and then were using staging as production. I can see, as a developer, leaving Mongo in an insecure state like this if you were pressed for time, maybe you think you're building a "proof of concept" and have been promised time to refactor and you didn't expect your code to be delivered to customers as is. Bleak.
posted by ProtoStar at 5:32 PM on February 27 [9 favorites]


> My butt, in general, is not completely secure.

I'm so happy I went through the chrome security overrides to install this extension!
posted by I-Write-Essays at 5:34 PM on February 27 [7 favorites]


The lesson I take from this is that I should learn how to use mongoDB.
posted by Going To Maine at 5:39 PM on February 27 [2 favorites]


I swear my iPhone is listening to me when I'm having face to face conversations.

1. I was having drinks with a friend and he was talking about a sailboat he once had. I have never searched for sailboats or boat related things, or talked about them with anyone since I got this phone. My sole connection with sailboats was that I was on a catamaran once seven years ago. The next day there were sailboat rental ads on Facebook. This was an iPhone 6, about six months ago.

2. Similarly, a different friend brought up Peapod (grocery delivery) while we were having breakfast. to be fair, I *am* the target market, and I had probably looked it up a year or two ago, but the next time I checked Facebook there was an ad for it. I'd never seen one in my feed before. This was an iPhone 6s, a few weeks ago.

Is this a thing? Has this happened to anyone else? I feel like shutting my phone off whenever I'm talking to someone.
posted by AFABulous at 6:00 PM on February 27 [5 favorites]


The internet of extremely incompetently configured Linux boxes.
posted by jaduncan at 6:08 PM on February 27 [9 favorites]


The internet of extremely incompetently configured Linux boxes.

The year of Linux on the thing has arrived.
posted by Going To Maine at 6:12 PM on February 27 [5 favorites]


AFABulous: Delete the Facebook app, and use the mobile website instead. See if that stops it.
posted by SansPoint at 6:20 PM on February 27 [5 favorites]


Somewhere Charlie Brooker is taking notes.
posted by delfin at 6:25 PM on February 27 [1 favorite]


Facebook is definitely snooping on you. Don't install untrustworthy third party apps on your phone.
posted by I-Write-Essays at 6:27 PM on February 27 [7 favorites]


The lesson I take from this is that I should learn how to use mongoDB.

I don't know, maybe people should just... not use MongoDB? I admit that my direct experience is limited (I've only used relational DBs) but what I've heard of MongoDB is overwhelmingly negative. There are other NoSQL solutions out there if that's what you need.
posted by Jpfed at 7:14 PM on February 27 [2 favorites]


not sure the story about the stock price makes sense given that it's a pink sheet. i did a few minutes of googling. the CEO of this company has been involved in lots of other dubious enterprises that look like penny stock scams.

There's also a pretty wonderful video of him promoting his previous company.

https://m.youtube.com/watch?v=IDNabmDi78k

i'm not a reporter and don't have the time or energy to do the legwork. the story about hiring a contractor and just deploying the proof of concept makes a lot of sense. possibly the things were never even intended to sell.
posted by vogon_poet at 8:03 PM on February 27


the Internet of Shit is truly the wet dream of STASI agents.

Before the Wall fell, Putin was the KGB section head in Dresden.

you tell all your deepest secrets to bear, da?
posted by Halloween Jack at 8:45 PM on February 27 [2 favorites]


The lesson I take from this is that I should learn how to use mongoDB.

I don't know, maybe people should just… not use MongoDB? I admit that my direct experience is limited (I've only used relational DBs) but what I’ve heard of MongoDB is overwhelmingly negative. There are other NoSQL solutions out there if that's what you need.

My impression is that it’s far and away the most popular, though. I guess maybe Redis is better? CouchDB?
posted by Going To Maine at 8:56 PM on February 27


AFABulous: "I swear my iPhone is listening to me when I'm having face to face conversations.

1. I was having drinks with a friend and he was talking about a sailboat he once had. I have never searched for sailboats or boat related things, or talked about them with anyone since I got this phone. My sole connection with sailboats was that I was on a catamaran once seven years ago. The next day there were sailboat rental ads on Facebook. This was an iPhone 6, about six months ago.

2. Similarly, a different friend brought up Peapod (grocery delivery) while we were having breakfast. to be fair, I *am* the target market, and I had probably looked it up a year or two ago, but the next time I checked Facebook there was an ad for it. I'd never seen one in my feed before. This was an iPhone 6s, a few weeks ago.

Is this a thing? Has this happened to anyone else? I feel like shutting my phone off whenever I'm talking to someone.
"

No, but my tablet has had some OK Google spaz outs during movies and Netflix.
posted by Samizdata at 9:45 PM on February 27


AFABulous: did your friend search about yachts (seems likely). FB probably knows you were in close proximity, if you've each got the app.

With the grocery thing: is your friend a customer and also a FB friend?
posted by pompomtom at 10:03 PM on February 27 [2 favorites]


AFABulous: did your friend search about yachts (seems likely). FB probably knows you were in close proximity, if you've each got the app.

I've never been so glad I self-host my location data and don't have the FB app installed.
posted by jaduncan at 10:13 PM on February 27 [2 favorites]


Redis isn't for what people use MongoDB for. Redis was more of a replacement for memcached with data structures stuck on which are really great, but all in-memory with durability done really really simply. MongoDB is supposed to be durable, just inconsistent in order to scale better. Unfortunately, ACIDity is really really really cool beans for a database, so it routinely lost data for... years.

Couch is what Mongo could've been if they were done by folks who weren't out to furiously make a buck. It also has master-to-master replication. It is slow as fuck and I think even normal Couch folks would say that.

Jepsen test says Mongo got better enough in the last few months so that it isn't such a goddamn piece of shit anymore. This trajectory is very much similar to MySQL, which suffered its own long period of losing-data-and-being-a-piece-of-shit but now is pretty damned good, especially for more specific purposes. Security is still a giant stinking piece of shit, as all of you may have noticed.

NoSQL is a big umbrella. It's got to be a big umbrella if it's supposed to have both RethinkDB and Cassandra under it. It's defined by this bullshit opposition to SQL, which has claim to be the greatest domain-specific language ever invented, but the fundamental core is a willingness to have heterogeneity in databases. It gave us a few really great pieces of software (Redis) and a few giant pieces of shit. That's OK.
posted by hleehowon at 11:34 PM on February 27 [8 favorites]


My impression is that it’s far and away the most popular, though. I guess maybe Redis is better? CouchDB?

Redis isn't exactly a competitor for Mongo - it's more oriented toward in-memory storage. CouchDB counts - there are really a whole bunch of different NoSQL DBs with different pros and cons and I couldn't possibly tell you which is "best." I think the popularity of Mongo has a lot to do with it being easy to set up and its native use of JSON. It gets a fair amount of shit for bad security defaults and the possibility of letting data slip through the cracks under certain circumstances, and I think generally suffers from a reputation as a popular choice for people who don't quite know what they're doing/just know NoSQL is the hot thing. But I suspect if you do know what you're doing and what its limitations are it can be fine for the right use case.
posted by atoxyl at 11:44 PM on February 27 [1 favorite]


Oops beat me to it.
posted by atoxyl at 11:44 PM on February 27


Stewart Lee called Twitter “a state surveillance agency staffed by gullible volunteers” and “the Stasi for the Angry Birds generation”.

Seems apropos here as well.
posted by Meatbomb at 11:46 PM on February 27 [6 favorites]


jaduncan: I've never been so glad I self-host my location data and don't have the FB app installed.

How do you self-host your location data?

I've recently started using https://www.openstreetmap.org instead of google maps, but can't find a proper app for iPhone.
posted by beesbees at 11:59 PM on February 27 [1 favorite]


Suddenly I don't feel so paranoid about the tape over my monitor's camera and microphone.
posted by mushhushshu at 12:50 AM on February 28 [1 favorite]


Suddenly I don't feel so paranoid about the tape over my monitor's camera and microphone.
Never feel paranoid about simple precautions like these. Waaaay back in the day, when cordless phones were basically just semi-private walkie-talkies with no attention paid whatsoever to privacy or signal protection, it was possible to listen in on an entire apartment complex interacting with their banks using DTMF with just a laptop, a clever circuit board, and an old Motorola brick phone you could buy in bulk from 2600 magazine. Some level of healthy, non obsessive paranoia is warranted. And never think that just because you're average that other people aren't nosy.
posted by xyzzy at 1:58 AM on February 28 [4 favorites]


Just a small chunk of anecdata, but I'm pretty sure the FB messenger native app listens in too - My wife and I were in the car talking about the possibility of getting her a small motor scooter type thing, which would require her taking a UK CBT (Compulsory Basic Training) course. This was a new thing - neither of us had searched for them or looked up any information prior to that conversation. My phone was on charge in a universal holder, playing music via bluetooth, so awake, charging and unlocked.

Next day, there's a FaceBook ad on my desktop browser for courses in my area.

I've not got the full FB app installed, just Messenger on Android, having resisted the real FB app for a long time for exactly this kind of contact/SMS-snooping reason - The web version's fine. Unfortunately, FB have just modified their mobile web interface so you can't get at Messenger from there - There are workarounds, but I'm guessing most people just install the native client. In all fairness, I guess the effect above could have been native Google stuff + selling to ad networks that FB are customers of.

Of course, there's the native Google stuff on there anyway. And my TV's probably listening even though I have that feature disabled.

Once again hugely grateful for MF and other sites where I don't feel like I'm being probed and packaged for sale.
posted by PeteTheHair at 2:13 AM on February 28 [2 favorites]


Also, thanks for posting this - The company I work for has a sponsored IoT incubator arrangement, encouraging staff to play with ideas and get their hands dirty with embedded development type stuff. The company in question is large enough to know what they're doing, and has safeguards to stop lab projects accidentally getting sold to customers, but this kind of reminder never hurts... I'll be posting this in as many internal IoT boards as possible over the next few days.
posted by PeteTheHair at 2:26 AM on February 28 [1 favorite]


As a "this is what it's like from the other side" bit of anecdotal data, I've never installed FB Messenger but do have the FB app installed – I've never let it access anything though. It can't access my contacts, microphone, etc. You can specify that stuff per app on an iPhone (I have the 6). I use good ol' text messaging and phone, only discuss sensitive stuff in person. Occasionally WhatsApp with friends abroad.

I've never gotten weird surprise ads linked to real-me, and I've been online since 1990. Facebook's targeted ads towards me are so laughable that I'll click through occasionally just to keep them guessing – they've tagged me as everywhere on the LGBTQIA spectrum and various genders, have occasionally assumed I'm Russian/Japanese/Swedish/Italian (yes, IN those countries), and I still get shown alt-right stuff once in a while. This is likely from being raised in a fundy family and still having links to that so I know what they're up to. The alt-right stuff I don't click through and ask to be deleted, though. For the good of humanity and all.

Other tricks: only use FB messaging on my PC, on Firefox, which I don't use to log in to anything else. Have asked friends to use WhatsApp; if they're curious I tell them of Messenger's dangers on a phone. Same thing with Gmail: I only use it on Chrome, where it's the only thing I'm logged in to. I have a different email address for FB than is on the Chrome browser and my phone. Only ever use DuckDuckGo for search.

Only use a personal, private network backup hosted by a company in France I've known for 15 years now. They don't outsource anything and have always been clear that they want to be a manageable size, so they don't market much. Other stuff like iCloud gets cleaned up regularly. There's basically only my Flickr and Instagram accounts that are huge, but as open as they may seem, there are things I simply never post.
posted by fraula at 2:54 AM on February 28 [2 favorites]


  I've not got the full FB app installed, just Messenger on Android

The Messenger app is the worst for snooping. I removed it pre Android 6, so it had to have all the permissions, and would gleefully ping whenever you went somewhere with special offers and requests to check in. I now only use FB on mobile through an adblocked browser, and have to switch to painful Desktop mode to read messages. Worth it.
posted by scruss at 4:57 AM on February 28 [2 favorites]


Jepsen test says Mongo got better enough in the last few months so that it isn't such a goddamn piece of shit anymore. This trajectory is very much similar to MySQL, which suffered its own long period of losing-data-and-being-a-piece-of-shit but now is pretty damned good, especially for more specific purposes.

During its losing-data-and-being-a-piece-of-shit phase MySQL apologists would brag about how much faster it was than its non-piece-of-shit competitors (e.g. Postgres), just as Mongo defenders do now. You don't hear that so much anymore. I suspect it turned out that much of that performance was bought at the cost of consistency, and I suspect it will turn out similarly for a lot of these flavor-of-the-month NoSQL databases.
posted by enn at 5:02 AM on February 28 [3 favorites]


Then, instead of having the work finished, they just used the prototype or whatever as their final product and shipped it.

Or as we in the tech biz like to call it, "Wednesday."
posted by Mayor West at 6:11 AM on February 28 [7 favorites]


Splunge: "The cloud, in general, is not completely secure."
There is no cloud. It's just someone else's computer.
posted by brokkr at 6:44 AM on February 28 [8 favorites]


If you're fine with your kids' recordings ending up in unexpected places then sobeit,


Wow, I've never seen that one before!
posted by fiercecupcake at 7:04 AM on February 28 [2 favorites]


MongoDB has its faults, but the problem of security and the Internet of Things doesn't rest on database choice. It may have magnified the issue here due to bad defaults in a given release years ago (that have since been fixed), but the problem is ongoing attention required to support Internet-facing/enabled devices; capital outlay by the manufacturer to update the software, but also attention by the consumer to upgrade the device.

If either or both of those things are missing, then you're stuck.

It would take all of five minutes to patch the specific hole here, but if the manufacturer isn't going to support ongoing development then there's no one to patch this, or future holes, regardless of the database vendor used.
posted by fragmede at 7:58 AM on February 28 [2 favorites]


If Facebook is eavesdropping, Apple should do a bit of corporate espionage, because Facebook's voice recognition must be way ahead of theirs. If the dictation service on IoS had been listening it, you'd have probably seen adverts for snail floats, rail moats and pail stoats.
posted by reynir at 11:56 AM on February 28 [4 favorites]


scruss: I used to switch to the painful desktop view too. However, I recently became aware of the existence of mbasic.facebook.com, which is an only-somewhat-painful ancient mobile interface that does still have messaging. :)
posted by adrienneleigh at 2:30 PM on February 28


FB probably knows you were in close proximity, if you've each got the app.

A data breach would be a boon for divorce lawyers.
posted by AFABulous at 7:58 PM on February 28 [1 favorite]


Do you remember SHODAN? She remembers you, i-i-I-i-ins-s-sects.

L-l-l-l-look at you, Daddy...
posted by turbid dahlia at 7:29 PM on March 5


« Older In other words, please be true   |   A pink fluffy reverse funnel Newer »


This thread has been archived and is closed to new comments