🤖 AI Summary
**AIおもちゃ「Bondu」のプライバシー漏洩事件まとめ(日本語)**
- **対象製品**:子ども向けのぬいぐるみ型AIトイ「Bondu」。AIチャット機能で子どもが対話できる想像上の友達として設計されている。
- **発見者**:セキュリティ研究者ジョセフ・サッカーとウェブセキュリティ研究者ジョエル・マルゴリス。
- **問題点**:Bonduが提供する保護者用ウェブポータルに、Google(Gmail)アカウントでログインすれば誰でもアクセスできる設定の不備があった。
- **漏洩内容**
- 子どもの名前・誕生日・家族構成など個人情報
- 親が設定した「子どもの目標」や「目的」
- 子どもとBonduの会話履歴・要約(50,000件以上)
- ニックネーム、好き嫌い、好きなおやつや踊りなどプライベートな情報
- **発覚の経緯**:実際のハッキングは行わず、任意のGoogleアカウントでログインしただけで上記データが閲覧可能であることを確認。
- **企業側の対応**:報告を受けた直後に問題のコンソールを数分で停止し、翌日には適切な認証機構を導入した新バージョンを再公開。
- **CEOの声明**:プライバシーを真剣に受け止め、ユーザーに対しセキュリティ対策を周知。外部のセキュリティ企業を雇い、継続的にシステム監査を実施すると発表。
**要点**:Bonduの管理画面が認証なしで公開されていたため、Gmailアカウントさえあれば子どもたちの会話履歴や個人情報が誰でも閲覧できた。問題が指摘されるとすぐに対策が取られたが、AI搭載玩具のプライバシー保護の重要性が改めて浮き彫りになった。
An anonymous reader quotes a report from Wired: Earlier this month, Joseph Thacker's neighbor mentioned to him that she'd preordered a couple of stuffed dinosaur toys for her children. She'd chosen the toys, called Bondus, because they offered an AI chat feature that lets children talk to the toy like a kind of machine-learning-enabled imaginary friend. But she knew Thacker, a security researcher, had done work on AI risks for kids, and she was curious about his thoughts.
So Thacker looked into it. With just a few minutes of work, he and a web security researcher friend named Joel Margolis made a startling discovery: Bondu's web-based portal, intended to allow parents to check on their children's conversations and for Bondu's staff to monitor the products' use and performance, also let anyone with a Gmail account access transcripts of virtually every conversation Bondu's child users have ever had with the toy.
Without carrying out any actual hacking, simply by logging in with an arbitrary Google account, the two researchers immediately found themselves looking at children's private conversations, the pet names kids had given their Bondu, the likes and dislikes of the toys' toddler owners, their favorite snacks and dance moves. In total, Margolis and Thacker discovered that the data Bondu left unprotected -- accessible to anyone who logged in to the company's public-facing web console with their Google username -- included children's names, birth dates, family member names, "objectives" for the child chosen by a parent, and most disturbingly, detailed summaries and transcripts of every previous chat between the child and their Bondu, a toy practically designed to elicit intimate one-on-one conversation. More than 50,000 chat transcripts were accessible through the exposed web portal. When the researchers alerted Bondu about the findings, the company acted to take down the console within minutes and relaunched it the next day with proper authentication measures.
"We take user privacy seriously and are committed to protecting user data," Bondu CEO Fateen Anam Rafid said in his statement. "We have communicated with all active users about our security protocols and continue to strengthen our systems with new protections," as well as hiring a security firm to validate its investigation and monitor its systems in the future.
Read more of this story at Slashdot.
ログイン
