Researchers have found a number of security flaws in Mattel’s Hello Barbie doll, pictured above. Software manufacturers are racing to patch her up before the holidays.
Ben Fox Rubin/CNET
Hello, Barbie — can we talk? Security researchers are worried about your safety.
New data released Friday by security firm Bluebox reveals even more vulnerabilities in Hello Barbie, the $75 Internet-connected doll from Mattel. Researchers found the application and the cloud server that connect the doll to the Internet could allow attackers to cut through security protections and access recordings of children’s conversations with Barbie. That’s probably enough to put Barbie on the naughty list this holiday.
This isn’t the first time someone has raised concerns about the iconic doll. Last week, a different researcher, Matt Jakubowski, said he’d discovered a flaw that could let hackers pinpoint home addresses for doll owners.
Barbie isn’t the only toy having difficulty safely connecting to the Internet. Earlier this week, hackers stole account information of more than 6.4 million children who used Learning Lodge, an Internet-connected toy made by VTech. The company has since hired a high-profile cybersecurity incident response team to help deal with the aftermath.
As parents gear up to purchase this and other Internet-connected toys for the holidays, Mattel and software maker ToyTalk are racing to patch the problems to make Hello Barbie secure.
ToyTalk has fixed some of the flaws in the software it built for Hello Barbie and is working its way through the others. The company also set up a “bug bounty” program about two weeks ago to streamline reporting from any other researchers looking into the doll’s software.
Despite the recent flurry of software patches for Hello Barbie, ToyTalk executive Martin Reddy said the company built in security features from the very beginning and had a cybersecurity company audit the toy before taking it to market.
“Security has been a major focus throughout the entire process, and i think we’ve done a very good job of it,” Reddy said. “I’m very proud of the [doll.]”
A Trojan horse of a different sort
The way Barbie works seems magical at first glance. Children talk with Barbie, and her necklace lights up to show she’s listening. Then, she talks back. Behind the scenes, the doll wirelessly talks to a companion app and ToyTalk’s service on the Internet.
A hack on the doll’s software could have wide-ranging consequences. Once Jakubowski opened up one Hello Barbie doll and hacked it, the toy became a gateway for him to send signals wirelessly to other Hello Barbies connected to the Internet. Meanwhile, the Bluebox researchers found flaws in the companion app, as well as ToyTalk’s website account service.
Hackers could “potentially take the voice recordings and…reconstruct it as the child recorded it. Or, as the 36-year-old security researcher recorded it,” said Andrew Hay, who helped Bluebox research the doll.
The good news is that these flaws are easy to fix, and so far there aren’t any indications that hackers have actually used them on real-life children at play. And all told, the flaws were not exactly direct paths to Hello Barbie’s beating heart.
What’s more, not all Internet-connected dolls are made equal. For example, the My Friend Cayla doll also talks with children, but she doesn’t record conversations, let alone send recordings to the cloud like Barbie does. Tim Medin, a security researcher at Counter Hack, attempted to hack her in January and came up with a few flaws that required hackers to get physical access to the doll or at least get very close.
In the process, he made Cayla respond to him with some foul comments, which did get some negative attention for the doll. But unlike Hello Barbie, researchers needed physical access to Cayla, and the doll wasn’t susceptible to attacks over the Internet.
“Cayla was basically the subject of a tech prank,” Peter Magalhaes, general manager of Cayla manufacturer Genesis, said.
For Barbie, not so much.