A Hello Barbie vulnerability in its software could make the child’s toy easier to hack leaving the data of children exposed. Hello Barbie was introduced by Mattel as an interactive adventure toy that kids could interact with and ask questions of. Kids ask the doll questions and the responses come from ToyTalk’s servers (Mattel makes the Barbie, and ToyTalk supplies the technology and cloud services). Hello Barbie is much like Cortana, Google Now, or Siri and learns as it gets more questions asked of it.
This new report shows that hackers could have intercepted the encrypted data sent between the doll and the servers of its maker ToyTalk. And owing to the fact the server was vulnerable to a well-known exploit to downgrade and break web encryption, known as the POODLE attack, the hackers could have effectively accessed and listened to children’s recordings.
We have been working with Bluebox and appreciate their Responsible Disclosure of issues with respect to Hello Barbie. We are grateful that they informed us of relevant security vulnerabilities, which have been addressed.
Right now there haven’t been any reports of hacks on the popular toy but one of the researchers who conducted a sample hack (Matt Jakubowski) says preventive measures should be taken quickly. To ToyTalk and Mattel’s credit, some of the issues have been resolved since Bluebox reported the findings to them.
We discovered several issues with the Hello Barbie app including:
- It utilizes an authentication credential that can be re-used by attackers
- It connects a mobile device to any unsecured Wi-Fi network if it has “Barbie” in the name
- It shipped with unused code that serves no function but increases the overall attack surface
On the server side, we also discovered:
- Client certificate authentication credentials can be used outside of the app by attackers to probe any of the Hello Barbie cloud servers
- The ToyTalk server domain was on a cloud infrastructure susceptible to the POODLE attack
Prior to publication of the research, Bluebox Labs disclosed all critical security issues to ToyTalk. Due to their fast response time, a number of the issues have already been resolved.
With the recent VTech toy hacks and the amount of interactive toys coming to market, parents should be concerned. Right now the only preventive measure you can take to protect your child’s privacy is not to buy these interactive toys or do not use their cloud services.
What do you think of the news that Hello Barbie is hackable? Let us know in the comments below.