Hello Barbie, Mattel’s internet-connected doll is one of the favorite holiday gifts for your children. However, be careful while you are buying this doll. You might have to compromise your privacy as this iconic doll comes with a few insecurities.
This Friday, research director at OpenDNS Andrew Hay and security firm Bluebox uncovered a range of security flaws in systems behind Hello Barbie that listens to children and uses artificial intelligence to respond. Vulnerabilities in its Android and iOS apps that used to set up and communicate with the toy could have allowed hackers to spy on the play sessions. When turned on, Hello Barbie acts as a Wi-Fi access point, but the researchers detected that the app would connect the phone to any Wi-Fi in the network with the word “Barbie” in the name. That means a hacker could easily create a malicious Barbie Wi-Fi hub and start stealing data from the phone.
“We are aware of the Bluebox Security Report and are working closely with ToyTalk to ensure the safety and security of Hello Barbie,” said Michelle Chidoni, Mattel spokesperson in an emailed statement to The Washington Post.
According to Martin Reddy, co-founder and chief technology officer of ToyTalk, the company has been working with Bluebox and has fixed many of the issues being raised. ToyTalk was informed about this issue in the mid-November and the researchers say the company was very responsive.
“It’s important to note that this attack is only possible during the few minutes that a user takes to connect the doll to their WiFi network and, even after circumventing this feature, the attacker gains no access [to] WiFi passwords, no access to child audio data, and cannot change what the doll says,” said Reddy.
The researchers say that the connection between the doll and the server was also vulnerable to so called POODLE attacks, which allowed a hacker to intercept traffic between the server and the doll, reduce the level of encryption used and potentially hack the child’s conversation with the toy.
The flaws are easy to fix as the researchers say, but it comes in news as VTech, another company that makes children’s toys, recently suffered a data breach that disclosed information on 6.4 million children and 4.8 million adults.
Vulnerabilities are certain these days as most of the companies are pushing everything to the internet, from automobiles to home decor to toys. So, in the case of Hello Barbie, you can easily say that it could be one of the best holiday gifts for the hackers.