Who Forewarned is forearmed
This past Christmas campaign we found in the media as The country or 20 minutes , different articles referring to toys that had as a differentiating element, the ability to record conversations to later offer interaction with them.
These media articles warned of the potential risk of this data collection in the form of children’s conversations. A user with an advanced level, could gain access to these records and have this type of data available. A priori it does not seem that they can cause any damage, but they can be used to simulate false kidnappings among other cases that we cannot even imagine. The working method does not differ much from services such as Siri or Google Now, in which our voice is recorded to perform operations on the device.
Exposure of personal data on toys
The case that we find is mentioned and analyzed in depth in https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/[Inglés] it was the worst possible expectation.
It should be noted that in the United States, they do not have a couple law to the Personal Data Protection Law (LOPD), but each state has different regulations by state and in some cases they may contradict each other.
To put us in context, the toy in question is a stuffed animal where parents and authorized relatives can leave messages for children so that they can receive them while we are at work or are away from them. The company CloudPets, due to poor security measures and implementation of the service, has caused the exposure of the data of its customers, including their email addresses and about 2.2 million audio records of parents and relatives with their sons.
Applied security and software engineering work aside is worthy of a novice, it is a serious violation of the privacy principle that a children’s toy should have. Access to this data is as simple as entering the url associated with the resource and without any impediment we will have access to it.
In summary and in order not to lengthen ourselves, personal data protection regulations such as those we have in Europe and Spain, with the LOPD may seem a nuisance from the point of view of companies. A bureaucratic procedure that we can carry out with no other objective than to avoid possible fines by complying with the minimum and forget about it until the next review.
The protection of personal data must be incorporated at all levels in our productive activity since it benefits us all. A gazapo like the one we find in this toy company, apart from being worthy of the corresponding fine, should never have been produced if a protocol such as the one we have in our country with the LOPD had been applied in this American company.
At Edor Team Soft SL, we have a team of experts who can advise you on your projects, IT or not, when applying the IT security measures that your company requires, depending on the level of confidentiality of the data processed. Consult us without obligation