Mattel has taken one of the world's most recognized dolls and combined it with the concept behind Siri. Hello Barbie, the first Internet-connected “smart doll,” is equipped with interactive software, allowing little girls everywhere to finally have more than just a one-sided chat with Barbie. The $75 doll can carry on a seemingly real conversation by recording what the child says and sending it via Wi-Fi to the cloud for Barbie's computer-generated response.
These conversations, however, are stored and analyzed by ToyTalk, the San Francisco software company that makes the interaction possible. As we reported in April, some privacy advocates voiced concern when the doll was introduced, since the maker of the doll's software reserved the right to “use, store, process and transcribe recordings in order to provide and maintain the Service, to perform, test or improve speech recognition technology and artificial intelligence algorithms, or for other research and development and data analysis purposes.
Bluebox Labs, along with independent security researcher Andrew Hay, examined the mobile components of Hello Barbie and discovered a number of problems.
There were some very worrying security issues with the Hello Barbie app. Researchers found that:
It utilizes an authentication credential that can be re-used by attackers
It connects a mobile device to any unsecured Wi-Fi network if it has “Barbie” in the name
It shipped with unused code that serves no function but increases the overall attack surface
The client certificate authentication credentials could be used outside of the app by attackers to probe any of the Hello Barbie cloud servers
The ToyTalk server domain was on a cloud infrastructure susceptible to the POODLE attack
More secure development needed
Researchers believe that the security for the app and device are simply not up to par. “For any connected device, strong security must take into account not just the device itself, but the full scope of apps and infrastructure associated with it,” explains Andrew Blaich of Bluebox.com.
Blaich goes on to state that security must be prioritized for devices like Hello Barbie. “All of the issues discovered point to the need for more secure app development, as well as the need for integrating self-defending capabilities into not only stand-alone mobile apps, but also the apps that power IoT devices like Hello Barbie. Ultimately, this research demonstrates the security of the mobile apps associated with IoT devices must be a higher priority,” he said.
Prior the publication of the research, Bluebox Labs disclosed all critical security issues to ToyTalk and a number of the issues have already been resolved. Mattel has said in a statement that they are “committed to safety and security” when bringing new products to market, but privacy advocates warn that anything stored in the cloud can potentially be inappropriately accessed.