Manufacturer of cuddly connected devices Spiral Toys have joined a small but growing club of toymakers now infamous for compromising the highly intimate data they gather from families with young children.

The CloudPets range of furry friends use microphones and speakers and a smartphone app to relay spoken messages — two million of which were left unprotected in an Amazon cloud server, accessible to anyone who could guess the URLs.

Over 800,000 passwords were also contained in an unprotected database for several weeks (until locked by hackers demanding ransoms), all encrypted with bcrypt but often too weak to withstand common cracking techniques.

It later transpired that the stuffed animals themselves were highly insecure. Without basic Bluetooth encryption, any malicious smartphone user can connect to the toys (from considerable distances, if using a directional antenna). Once connected, any audio recording can be broadcast to the device, and all audio recorded by the device is received by the smartphone. One clever young man uploaded a YouTube video to show how this might be done:

This story closely mirrors the recent story of My Friend Cayla, another Bluetooth-connected toy that too was wildly insecure. And so the immediate question is: how do we ensure that toys don’t expose children to privacy and security harms?! I don’t believe that regulations aimed at computers and other IT devices are the way to go, so I started wondering about existing toy safety regulations. In the US, toys for children under 12 are required to adhere to standards designated by the Consumer Product Safety Commission. At the moment, the regulations cover things that could cause physical harm to kids, but I wonder if this body of regulation is an entry point to security and privacy concerns. More research is warranted. Unfortunately, I expect to see many more of these in the coming years.