The New York Times calls it a “Wi-Fi Barbie Doll With the Soul of Siri” and for many kids it may be a dream come true: A doll that listens and responds to you.
Mattel’s Hello Barbie has been one of the most buzzed about connected toys. And thanks to an app that connects the toy to your Wi-Fi network, the world’s most popular doll is now on the Internet of Things.
Here’s a look at how it works:
If you don’t shop for kids’ toys, you might not have not even realized that there is smart Barbie — until news of the VTech hack broke. More than 6 million children’s profiles have been exposed in the hack of the Hong Kong toymaker. Suddenly in the midst of the biggest toy buying time of the year, parents are forced to consider the security implications of connected toys they couldn’t have imagined when they were kids.
If there’s a theme to this blog, it’s that if it’s smart, it’s vulnerable.
Security researcher Matt Jakubowski was able to “access users’ system information, WiFi network names, internal MAC addresses, account IDs and MP3 files” And he said “it was only a matter of time” before he could hack the doll to speak directly to kids.
Like many IoT threats, proximity is key.
On the company’s Tumblr , ToyTalk’s Chief Technology Officer points out that the company isn’t “aware of” anyone being able to use the doll to access “your WiFi passwords or your kid’s audio data.”
Given that it is the first WiFi doll, the company is preparing for breaches and has a bug bounty program in place.
Jakubowski told Global News, “Overall I think ToyTalk has done a outstanding job on the security protocols they have in place. The doll when in WiFi mode requires a client-side cert to be valid in order to access any of the data, it also limits the data that it can accept thus limiting the attack surface.”
He added, “ToyTalk also appears to be using HTTPS for all communications to ensure no eavesdropping of any kind can happen. These are all good levels of security that you don’t typically see in many IoT devices. ToyTalk has certainly taken many of the concerns and has addressed them as best as they could.”
These are positive steps and completely necessary given the intimacy many children already feel toward Barbie. But some privacy experts are still skeptical. In the wake of VTech, HaveIBeenPwnded.com’s Troy Hunt is warning against anything that expands your child’s digital footprint.
“Given the way children have been shown to interact with dolls, then, there’s a strong likelihood that they will tell Hello Barbie everything,” Mary Emily O’Hara writes in The Kernel.
Chances are that Hello Barbie won’t be the last doll that’s on the IoT and with the advances of artificial intelligence, toys will become even more immeshed in kids’ lives.
For criminals the attack is risky. “Is it worth staging a user-by-user attack against a child’s doll?” Richard Chirgwin asked in The Register.
Since this is a whole new world, who knows for sure. For now, parents should start to think of Wi-Fi connected toys like smartphones or tablets. Parents should be observant of how kids use them, supervise their use and put them away when they’re not being used.
Also, make sure your child’s password and your WiFi network are unique, strong and unguessable, of course.
[Image by Patrick Quinn-Graham | Flickr]
F-Secure invites our fellows to share their expertise and insights. For more posts by Fennel, click…
April 18, 2018
There are some advantages to being around "forever," as Mikko Hypponen, F-Secure's Chief Research Officer,…
March 10, 2018