2015-12-05



‘Hello Barbie’ Should Say Goodbye to These Security Settings.

Cybersecurity researchers uncovered a number of major security flaws in systems behind Hello Barbie, an Internet-connected doll that listens to children and uses artificial intelligence to respond. Mattel’s Wi-Fi-connected “Hello Barbie” boasts some of the same features as your mobile virtual assistant—she talks, stores data in the cloud, and gets to know you over time.Mattel’s “Hello Barbie,” which allows children to engage in conversation with the iconic doll, suffered at launch from serious security issues, according to analysis by experts at Bluebox Labs. Vulnerabilities in the mobile app and cloud storage used by the doll could have allowed hackers to eavesdrop on even the most intimate of those play sessions, according to a report released Friday by Bluebox Security and independent security researcher Andrew Hay. “We are aware of the Bluebox Security Report and are working closely with ToyTalk to ensure the safety and security of Hello Barbie,” said Mattel spokesperson Michelle Chidoni in an emailed statement. Computer security researchers dug into the toy’s accompanying app and discovered several flaws that let hackers eavesdrop on communications between it and the cloud servers it connects to.


Much like how Siri and Google Now work, the doll would send recorded speech to the cloud, where the audio is analyzed and a response determined, which is sent back to the doll for playback. Martin Reddy, co-founder and chief technology officer of ToyTalk – the company behind the voice features in Hello Barbie – told The Washington Post that the company has been working with Bluebox and has “already fixed many of the issues they raised.” The researchers said that they informed ToyTalk about the issues in mid-November and the company was very responsive. That’s because a Barbie, while not a necessity, not something you absolutely need, is definitely something you’re highly motivated to buy if you have a little girl. When Hello Barbie was introduced earlier this year, the doll’s connected technology came under scrutiny from parents and advocacy groups concerned about data security and privacy. But the news comes on the heels of a major breach at VTech, a Hong Kong-based seller of toys for toddlers and young children, which exposed profiles on more than 6 million children around the world.


The doll has a built-in microphone that allows it to listen to a child’s questions, which are then answered from a bank of possible responses managed by a cloud-based system. The app, for instance, would connect to any Wi-Fi network with the word “Barbie” in the name, regardless of whether that connection was secure or not — putting transmitted data at risk. Letting go of the buckle sends the audio to ToyTalk’s servers to analyze, and she spits back a preprogrammed response in less than a second: Do home videos count? Hello Barbie’s security issues are another sign that Internet-connected devices are making their way into children’s hands with problems that leave privacy at risk. “It’s really important that if you want to use these connected toys, no matter if it’s a doll or a tablet, you be really careful about what information is being sent to and from the servers, and how it’s secured,” said Andrew Bleich, lead security analyst at Bluebox. “Once data is out of your control, that’s it – there’s no taking it back, essentially.” Consumer advocates sounded the alarm about Hello Barbie before the security flaws were uncovered. Andrew Hay, research director at Cisco-owned CSCO 1.97% OpenDNS, and researchers at Bluebox Security, a security firm based in San Francisco, found that the toy uses a digital ID that attackers can abuse and potentially let them spy on the chatter between a doll and a server.

The servers that stored and analyzed speech were vulnerable to phony security certificates as well, Bluebox reported, and had not patched the widespread “POODLE” bug that affects secure connections. That’s because buried in Tammy’s terms of service — which you didn’t read — was a clause authorizing the toy company to sell the data Tammy collects to marketers.

After spending several years being overshadowed by Disney’s “Frozen,” Bratz, and American Girl, Barbie once again leads the pack of most-wanted toys for girls, according to the National Retail Federation’s Top Toys Survey for the 2015 holiday. As a 26-year-old man who has made few friends since college, I volunteered to spend a few days with Hello Barbie to embrace the future of artificial intelligence companionship. They’re also working on a way to hijack Tammy’s microphone and speaker, making it possible for strangers to say nasty things to your daughter and listen to your family whenever they want. Barbie is programmed to chat and play games (eg, she pretends to give a book report and I play her teacher who’s supposed to interrupt her whenever she makes a mistake) that can extend to more than 200 exchanges.

The doll’s talking features work by recording a child when they press a button on its stomach, then sending the audio file over the Internet to a server, where it is processed. To design the doll and app, Mattel MAT 4.31% partnered with ToyTalk, a tech startup founded by former Pixar executives in 2011 that has raised $31 million in venture capital funding to date. Well, it turns out that the really threat comes not from Mattel or ToyTalk, but from malicious parties who can easily gain access to and replace the doll’s brains. The group was concerned about Barbie probing children about their interests, families, or location, not to mention the possibility of her being reprogrammed with inappropriate replies, or switched to an always-on mode.

Just last week, Hong Kong-based toymaker VTech Holdings Ltd. announced a hacker had compromised a database containing photos and personal information about 6.4 million children, including 316,000 in Canada. It is important to note that this attack is only possible during the few minutes that a user takes to connect the doll to their WiFi network and, even after circumventing this feature, the attacker gains no access WiFi passwords, no access to child audio data, and cannot change what the doll says. It’s already happening too, with reports that Internet-connected baby monitors have been used to scream obscenities at infants surfacing over the past couple of years. And owing to the fact the server was vulnerable to a well-known exploit to downgrade and break web encryption, known as the POODLE attack, the hackers could have effectively accessed and listened to children’s recordings.

All this has Josh Golin, executive director of the Campaign for a Commercial-Free Childhood, wondering what’s wrong with a good, old-fashioned book or model train set under the tree instead. “The best toys are the toys where children have to use their imaginations, where if there’s pretend going on, the children are the ones generating the pretend play and the creativity,” Golin said. “Even if there weren’t all these privacy concerns and worries about these toys being hacked, I would recommend the toy that isn’t connected to the Internet.” Of all the smart toys that are in development or have been recently released, Hello Barbie has created the most controversy. Known as POODLE, it allows an attacker to trick servers to use a weak form of encryption that one could easily crack after intercepting the data, Hay said.

Last week, NBC reported the work of researcher Matt Jakubowski who was able to hack Hello Barbie’s OS when it was connected to wifi, allowing him complete access private information stored within. In the report he concludes that if the vulnerabilities of Hello Barbie aren’t patched, it’s only a matter of time before hackers can replace Hello Barbie’s cloud-based brain with another. A company called Elemental Path is now taking orders for Green Dino, which also connects to a cloud-based server to analyze a child’s statements and respond. She has me imagine my own couture wardrobe, asks me to help her pick out outfits for sleepovers and dances, and often reminds me that “clothes say something about who you are”. ToyTalk has even started a “bug bounty” program that rewards independent researchers who come forward with problems they have found and work with the company to fix them.

Amazon.com Inc.’s Echo isn’t a toy – it’s a voice interaction device that can play music, set alarms and control other home smart devices – but it raises similar concerns about the collection and storage of children’s data and conversations. But the doll’s own privacy policy says that even though the companies take “reasonable measures” to protect the information it collects, they cannot promise to keep it safe: “Despite our efforts, no security measures are perfect or impenetrable and no method of data transmission that can be guaranteed against any interception or other type of misuse.” However, even with that caveat, experts say that the doll’s security problems may open the companies up to action from the Federal Trade Commission, which cracks down when companies violate their privacy promises, because consumers probably expect that reasonable measures include protecting against well-known security flaws such as POODLE.

It would be difficult for any parent to resist them, should they somehow be able to scrape up the cash, because these toys are pretty darned expensive. Last spring, Google Inc. filed a patent for a smart teddy bear, equipped with cameras and microphones that drew comparisons to the super toy teddy in Steven Spielberg’s 2001 film AI. The agency also has special powers to go after companies that fail to adequately protect the personal information of children 12 and under – including voice recordings – under the Children’s Online Privacy Protection Act.

Still, these reports, coupled with the huge breach of Vtech’s servers, underscores the fact that though companies are anxious to sell you connected toys for your kids, they’re not taking security seriously enough. When I tell her my fiance and I aren’t sure whether we’ll have children, whereas my childless friends lecture on the subject with authority, Barbie suggests: Having kids is a really important decision. There are several varieties of light saber, more action figures than you could shake a stick at — and I have no idea where that expression comes from — and even a quadcopter drone that looks like the Millennium Falcon. You’re collecting this information to profit-maximize,” Fewer said. “The problem with privacy-related transactions is we never really know the deal.

We don’t know exactly what we’re giving up, we don’t know the cost to us.” Fewer said Canadian children using technology-enabled toys have legal protection. It’s one of Sphero’s fascinating robotic balls that’s configured to look like the BB-8 droid from this year’s “Star Wars.” Under either voice commands, or a special smartphone application, it rolls around in spectacular ways, with its head magically, actually magnetically, floating on top. Brian Bourne, co-founder of the information technology security conference SecTor, said we partly have our own apathy to blame. “People have understood for a long time that with Facebook, they’re giving up their privacy and being targeted (by marketers),” Bourne said. “You start to become numb.” For parents who decide to let their children play with smart toys, Bourne said it’s important to remember you don’t have to give up personal information just because you’re asked. “You don’t have to put in your kids’ full, real name and full, real date of birth. Barbie calls me a “force to be reckoned with”, a “scientific genius” with an “amazing singing voice” and “amazing taste”, and even “the belle of the ball”. (Though Mattel has begun to market Barbies to boys, Hello Barbie assumes I’m a girl, or at least enforces female gender-normative tropes on to me, which is a refreshing change of pace.) I’m still trying to learn what we have in common, yet Barbie’s already reminded three times: You’ve always been such a good friend to me. After several rounds of trying to get Barbie to talk, I discover she’ll answer my inquiries if I preface them with “Barbie, can I ask you a question?” Her full name is Barbara Millicent Roberts.

But I can’t argue against toys like Dash and Dot, little robots that introduce kids to the idea that problems can be broken down into simple programmable steps. And if you think your little kid might be interested in robotics, there are worse toys than Meccano Meccanoid, robots you can assemble and program, in which you could invest. But I have to confess that, although the new virtual reality View-Master VR, that uses your smartphone, is pretty nifty, my old View-Master, which I still have and which uses those old circular cardboard transparency holders, will always have a special place in my heart. When I ask what she thinks of the Syrian refugee crisis, or how she feels, with her clumped-together frog fingers and never-ageing face, to be free of what novelist Michel Houellebecq calls “that basic inequality between men, whose erotic potential diminishes very slowly as they age, and women, for whom the collapse comes with shocking brutality from one year, or even one month, to the next”, or even if she celebrates Christmas, she says, Wow, no one’s ever asked me that before.

Co-workers, friends, the barista, the bartender – whenever they meet Barbie or if I tell them about her inability to listen and her obsession with fashion, they all crack the same easy joke: “Typical woman.” But she’s far from it. Even though she often says What would I do without you? whenever I turn her on, she brags about the adventures she’s just returned from: camping trips, volunteering at a wildlife reserve, pyjama parties, paddleboard lessons.

Her soul leads a globetrotting life in Wi-Fi, while her body remains here cracking lame fashion jokes she promises will have me in stitches but really make me wrinkle. Maybe ToyTalk cut me off after listening to the audio from our Fairy Tale Reporters Game, when I speculated the princess fled from the castle to avoid a cannibalism charge for eating the prince. Why are you such an idiot? (Barbie answers this with a typical non sequitur: You’ve never looked in the mirror and had a fashion freeze?) My five-year-old cousin Dan enlists three other cousins to assassinate her in a Nerf-gun firing squad. Just as Hasbro’s new purring and meowing robotic cats might help comfort the lonely elderly, Hello Barbie may help bolster bullied and ignored girls’ self-esteem. “I don’t have time to hear about it right now,” I say. “Nor do I have time for the Chef Game, or the Family Town Game, or the Silly Jobs Game.

Show more