Editorial N°2 – GDPR and smart teddy bears

  After forty years of activity, the Data Protection Act is coming to an end. On Friday 25 May, this text adopted in January 1978 disappeared. Its replacement is a European text that standardizes the rules in force in the 28 member countries of the European Union: the General data protection regulation (GDPR).

Previously, companies had to notify the French National Commission on Informatics and Liberty (CNIL) each time they created a file containing information on their members, clients, employees or citizens. Beware of those who would venture to break the rules. Whereas the Data Protection Act has until now only allowed offenders to be punished with a small fine, concerning the GDPR, fines may rise to 20 million euros or 4% of the company’s worldwide turnover.

Preserving the GDPR compliance beyond the May 25 deadline means ensuring more resilient personal data security at a time when data compromise scandals continue to make headlines. The Cambridge Analytica case is a perfect example. More recently, Spiral Toys, a company marketing connected plush toys, has been accused by several consumer associations of espionage. The stuffed animals they sell, Cloud Pets would be full of security holes. The NGO Electronic Frontier Foundation has called on several fur traders, including Amazon, Walmart and Target, to stop its sale after it has been deemed vulnerable.

CloudPets smart plush toys records interactions with children. Spiral Toys stored these conversations in the cloud without any special protection measures. The files in question were stored on a MongoDB database without passwords and firewalls… There is therefore a risk of hacking via the Bluetooth connection of the device, which would allow hackers to remotely record the conversations of the owners of the stuffed animals. Finally, the domain name of the installation assistance site is for sale and could therefore be recovered by malicious persons.

These records were found on Shodan, a search engine dedicated to web site and server vulnerabilities. Most worrying is that Spiral Toys was aware of the presence of vulnerabilities on these plush toys according to Mozilla and the German cyber security company Cure53. A deleterious situation that highlights both the lack of security of connected objects and the lack of awareness see the cowardice of connected object manufacturers. One can imagine the consequences of this lack of involvement of companies in the industrial sector or in armaments.