A security researcher says he broke into Hello Barbie, pictured above, to prove she could be hacked.
The song says Santa Claus sees you when you’re sleeping and knows when you’re awake. But is he the only one?
That’s the lesson to be learned after hackers and researchers have been running amok with Internet-connected toys in the past month. One intruder breached more than 11 million accounts tied to a toy from VTech called Learning Lodge, revealing the names, birthdays and genders of more than 6.3 million children and scooping up their photographs to boot. As if that weren’t creepy enough, a researcher revealed to reporters a security hole in Mattel’s talking Hello Barbie, a $75 toy that talks to you like Siri from an iPhone. The flaw could allow hackers to steal personal information and listen in on kids.
Forget the “Elf on the Shelf,” the make-believe story about a doll that reports to the North Pole with information on kids’ behavior. With today’s connected toys making their way to potentially millions of children for the holidays, spying on kids is no longer a joke.
Mattel said that no actual child’s information has been stolen so far from Hello Barbie. ToyTalk, which creates the software that powers Hello Barbie, has a “bug bounty” program that will pay researchers to find flaws. “Mattel and ToyTalk have built in many privacy and security measures, and we are committed to providing the safest possible experience for parents and children,” Mattel said.
Don’t expect this to be the last we hear of toys being attacked. As more smarts are being put into everyday toys, researchers say hackers will find ways to break in and steal valuable information or worse, track our children while at play.
There are two critical mistakes these companies are making, according to security researchers. They store too much information, and then they don’t adequately protect it. “If you are storing it, do it in a place where it’s less likely to be exposed,” said Mark Nunnikhoven, an expert at Trend Micro.
There are many reasons this is happening, but security specialist Ed Skoudis said it comes down to the quality of the technology these companies are using.
“This stuff is really primitive from a security perspective,” he said, speaking of the growing list of connected toys on the market, as well as other household devices that connect to the Internet, such as baby monitors and fitness trackers.
All these devices might seem like they’re fresh off the set of the Jetsons, but they’re actually rudimentary, he said. They often contain a simple computer and tend to come with default passwords that hackers can find online if they really want to. The result is that even a beginning hacker could break into them.
Skoudis is the head of Counter Hack, a company that looks for flaws in networks and connected devices, including toys. He also offers free online training focused on helping tech types learn about a new area of cybersecurity. This year’s theme just happens to be Internet-connected toys.
He hopes the training will help move more Internet-connected toys onto the nice list. “We need people to find these [flaws] and fix them,” he said. “Otherwise they just sit there silently.”