It seems Vtech isn’t the only toy company playing it fast and loose with children’s privacy. Security researchers have discovered myriad security flaws that make Mattel’s Hello Barbie connected doll hackable.
When Hello Barbie was introduced earlier this year, the doll’s connected technology came under scrutiny from parents and advocacy groups concerned about data security and privacy. The doll has a built-in microphone that allows it to listen to a child’s questions, which are then answered from a bank of possible responses managed by a cloud-based system. The whole thing works a bit like Siri. The creepiest thing is that over time, the doll learns about a chil’s tastes and preferences, and adjusts its responses accordingly. Parents were understandably concerned about what Barbie might be saying to and learning about their kids.
At the time, Mattel and the company behind the tech, ToyTalk, denied that the data would every be used in any way people would find objectionable—they wouldn’t pollute the minds of impressionable children with advertising or bad ideas. Well, it turns out that the really threat comes not from Mattel or ToyTalk, but from malicious parties who can easily gain access to and replace the doll’s brains.
A new report released today by researchers at security firm Bluebox Labs reveals problems with both the Hello Barbie mobile app, as well as with the way the app communicates to ToyTalk’s servers in the cloud. Most egregiously, ToyTalk used outmoded encryption technology that’s known to be vulnerable.
Motherboard described Bluebox Lab’s findings:
This new report shows that hackers could have intercepted the encrypted data sent between the doll and the servers of its maker ToyTalk. And owing to the fact the server was vulnerable to a well-known exploit to downgrade and break web encryption, known as the POODLE attack, the hackers could have effectively accessed and listened to children’s recordings.
Bluebox Labs reported the vulnerabilities last month, and the ToyTalk has reportedly patched the problems.
Last week, NBC reported the work of researcher Matt Jakubowski who was able to hack Hello Barbie’s OS when it was connected to wifi, allowing him complete access private information stored within. In the report he concludes that if the vulnerabilities of Hello Barbie aren’t patched, it’s only a matter of time before hackers can replace Hello Barbie’s cloud-based brain with another.
In a statement ToyTalk CTO Matt Reddy told Gizmodo:
We have been working with Bluebox and appreciate their Responsible Disclosure of issues with respect to Hello Barbie. We are grateful that they informed us of relevant security vulnerabilities, which have been addressed.
As of right now there’s no evidence that Hello Barbie’s vulnerabilities have actually been exploited. Still, these reports, coupled with the huge breach of Vtech’s servers, underscores the fact that though companies are anxious to sell you connected toys for your kids, they’re not taking security seriously enough.