Login Register Subscribe
Current Issue

Hello Barbie has it all — including cyber risks

Reprints

Toymaker Mattel Inc. is trying to bring its iconic Barbie doll into the digital age by creating an interactive version that will actually talk back when children speak to their dolls. But due to security issues, so can hackers.

Mattel introduced the original Barbie at the annual Toy Fair in New York in March 1959 and unveiled the Hello Barbie version in late November of this year, just in time for the holidays. Using Wi-Fi and speech recognition technology, Hello Barbie can hold conversations, play games, share stories and tell jokes, according to the company. The doll sells for about $70 on retailer Amazon.com's website.

Security firm Bluebox discovered several issues with the Hello Barbie app, including that the app can be modified to reveal confidential information such as authentication credential passwords, according to a white paper released last week by the firm. The app will also connect a mobile device to any unsecured Wi-Fi network if it has Barbie in the name, allowing for a network spoofing attack to occur by an attacker impersonating the Barbie network to steal data, according to the white paper.

The Hello Barbie app utilizes an authentication credential that can be re-used by attackers and also shipped with unused code that serves no function, but increases the overall attack surface, according to the white paper.

In addition, the Bluebox analysis identified server-side security issues, including that the ToyTalk server domain was on a cloud infrastructure susceptible to the POODLE attack — an exploit that takes advantage of the way some browsers deal with encryption. This would allow attackers to downgrade connection security and listen in on communications to the server such as uploaded conversations from the doll. Bluebox informed ToyTalk of these vulnerabilities, and the company has quickly resolved several issues, according to the white paper.

Bluebox wasn't the first to identify a security flaw with Hello Barbie. Researcher Matt Jakubowski previously said he'd discovered a flaw that would potentially allow hackers to pinpoint home addresses of doll owners.

Barbie isn't the only toy that's run into safety or privacy concerns related to its Internet connection. Hackers recently stole the account information of more than 6.4 million children who use the Learning Lodge app store for VTech Holdings Ltd. toys.