Researchers find 14 more bugs in the internet-connected toy, some of which still haven't been fixed.
A disassembled Hello Barbie doll. Image: Somerset Recon
A group of security researchers claim to have found a new set of vulnerabilities affecting the internet-connected Hello Barbie toy made by ToyTalk—or, more accurately, the web servers that the toy communicates with.
Released in November, Hello Barbie uses voice recognition to identify sentences and phrases spoken aloud to the doll, and then responds with lines of related, pre-recorded dialogue. The process mostly happens in the cloud, on remote servers, and no audio is stored on the device.
The connected nature of the children's toy has stoked fears that attackers could take control of Hello Barbie and turn it into a remote surveillance device—similar to what has been done with internet-enabled baby monitors. Researchers previously found that they could intercept and decrypt communications between the doll and ToyTalk's servers, a flaw that has since been fixed.
In a report published Monday, researchers at the San Diego-based Somerset Recon found that while the physical doll itself was particularly well protected from most attacks, most of the vulnerabilities found existed in either ToyTalk's websites or web services.
"ToyTalk openly engages with the security community and actively encourages feedback from it, which we take very seriously."
A total of 14 vulnerabilities were found, 10 considered low risk, and four rated medium risk by the team. Seven vulnerabilities have since been patched, according to the researchers' report. Only two apply directly to the doll itself, and are considered low severity.
While the researchers found that the toy itself was relatively secure, employing encryption and keeping sensitive information off the toy's hardware, "what [the company] failed to do was properly harden their web services," according to Somerset Recon's blog post.
ToyTalk spokesperson Tom Sarris said via email that the company is "pleased" with the overall conclusion of the report, "which affirms our thoughtful approach and continued vigilance to security."
According to the report, the researchers say they were able to brute force user passwords with "unlimited retries"—in other words, attempt to guess a target's password again and again, without being locked out by the system. Passwords, meanwhile, required at least eight characters in length, but did not require additional complexity, such as symbols or numbers, increasing the likelihood that a brute force attack would be successful.
The report stated that neither vulnerability had been fixed at the time of the publication.
In an email, Sarris wrote that password attempts were limited to "approximately 12 requests per minute," when using the researcher's method. "Note that once this threshold is reached, all responses look identical to a failed guess so as to not be helpful to an attacker," the email continued, "i.e., guessing the right password has the same result as guessing the wrong password after the threshold is reached."
ToyTalk added that its password convention "is considered to be in line with security best practices," and is the same character policy used by Google. "We highly encourage parents to use strong and unique passwords for the online services in which they engage," Sarris wrote.
The researchers say they also found a way to query ToyTalk's servers to confirm whether or not a given email had a Hello Barbie account; however, ToyTalk wrote in an email that it would not be possible to use its API's username lookup feature to confirm all valid HelloBarbie email addresses using this method, only those that an attacker previously knew or guessed.
"However, this end-point is very limited since after the query threshold is met all subsequent responses report that the account is unregistered even if it actually exists," Sarris continued. "This action prevents attackers from enumerating the full list of external email addresses."
The researchers were also able to redirect users to potentially malicious URLs after logging into the ToyTalk website, and found that password reset pages were unencrypted and that the link to the page never expired. Both flaws have since been fixed.
While these attacks could be carried out remotely, others required closer proximity. The researchers were able to steal a user account's cookie (a small file stored on the user's computer so that they don't have to re-enter their username and password on each visit to the site) but only if that user was connected to a WiFi network also controlled by the attackers. This enabled the researchers to then take control of the account.
Worse, ToyTalk's cookies did not expire, meaning they could be reused to log into the account at any time. Both vulnerabilities have already been fixed.
As for attacks on the toy itself, an attacker in close physical proximity to the toy could take advantage of the toy's configuration mode—two buttons must be pressed at the same time to enter this mode—to obtain the owner's account ID, and use this ID to upload arbitrary audio to that account from a computer. The wireless access point the toy creates during configuration is also unencrypted.
According to the report, the speed with which some of the bugs were patched—in some cases, shortly after the researchers identified them—lead the researchers to believe that other groups had found the same bugs, too.
A previous report by security firm Bluebox Labs found that ToyTalk servers were also vulnerable to a well-known exploit, known as POODLE attack, which is capable of breaking the encryption between the doll and the server (the vulnerability has since been fixed).
"This issue has been fixed now, but it's important to note that these servers were never used by Hello Barbie, and that the doll never had this vulnerability," a ToyTalk blog post authored by co-founder and chief technology officer Martin Reddy reads.
"What consumers need to decide is whether they are willing to trust their children's content with ToyTalk."
In that same post, Reddy announced that the company had started a bug bounty program through a service called HackerOne so that researchers might receive monetary rewards between $100 and $10,000 USD as an incentive for reporting additional bugs. However, due to the ease with which some of the bugs were discovered, the researchers suggested that the company may have launched the bug bounty program in lieu of a proper security audit prior to Hello Barbie's release.
Sarris disputed this in an email. "ToyTalk openly engages with the security community and actively encourages feedback from it, which we take very seriously," he wrote. "ToyTalk and Mattel worked together with an external security company which performed an audit of the Hello Barbie security infrastructure prior to the product's launch in late November 2015 and in the weeks that followed. Moreover, we worked closely with Bluebox several weeks ago and immediately addressed their feedback about Hello Barbie security."
"Coincident with the release of Hello Barbie, ToyTalk established a bug bounty program through Hacker One to encourage responsible disclosure of potential security issues," Sarris continued." That bug bounty program, along with the external security audit, had already brought to our attention issues raised in the Somerset Recon report, most of which were addressed late last year."
In their conclusion, the researchers suggest parents use a strong password to secure the Hello Barbie's account, to only use the doll on a trusted wireless network that has been protected with a strong password, and, as with any web service, to understand the risks of storing personal information on a remote server.
"The actual doll and mobile device do not store or share much interesting information," they write. "What consumers need to decide is whether they are willing to trust their children's content with ToyTalk."