The internet-connected doll had security flaws that would make it possible for a hacker to eavesdrop on conversations.
The internet-connected Hello Barbie doll listens to children and responds to them using voice recognition technology. But due to several flaws in the doll's cloud infrastructure, as well as in its smartphone apps, the doll might not have been the only one listening—hackers could have been listening in too, according to security researchers.
Ever since its release earlier this year, privacy advocates warned that Hello Barbie could pose risks, given that the doll sends kids' recordings over the internet and stores them in the cloud.
Now, researchers at security firm Bluebox Labs, working with independent researcher Andrew Hay, have detailed several flaws that could have allowed hackers to spy on children's conversations with the doll.
The report, which was released on Friday, comes on the heels of similar but separate independent findings on how hackers could exploit Hello Barbie. And just a few weeks after the massive breach at toymaker VTech, which exposed the personal data of more than 6 million children, it's clear that there is a danger if you buy and use internet-connected toys.
"They could force a downgrade of the connection to try to steal any of the conversations that are uploaded from the doll"
This new report shows that hackers could have intercepted the encrypted data sent between the doll and the servers of its maker ToyTalk. And owing to the fact the server was vulnerable to a well-known exploit to downgrade and break web encryption, known as the POODLE attack, the hackers could have effectively accessed and listened to children's recordings.
"That meant that if someone was listening to the connection and the communication channel, they could force a downgrade of the connection to try to steal any of the conversations that are uploaded from the doll," Andrew Blaich, a researcher at Bluebox Labs, told Motherboard in a phone interview.
The researchers also found that the app used to connect the doll to the internet was vulnerable, and that hackers could have replaced it with a malicious one. Moreover, during its setup process, the doll was programmed to connect to any WiFi network with the word "Barbie" in it, potentially allowing criminals to intercept all data.
"If you were an attacker that was in an area where people are setting these out, you could spoof a network that has the name Barbie in it and coerce somebody to connect to it," Blaich said.
The good news is that ToyTalk reacted quickly, and was very responsive and collaborative with the researchers, Blaich said. As a result, he added, most of the issues they reported are now fixed.
ToyTalk has started a bug bounty program for Hello Barbie
Blaich and his colleagues reported the bugs in mid-November, and ToyTalk quickly patched the issue, according to the report. Martin Reddy, The co-founder and chief technology officer of ToyTalk, the company that manufactured the doll along with toy giant Mattel, confirmed that the bugs reported by the researchers have been fixed.
That's why, Reddy added, parents shouldn't be worried about buying an Hello Barbie doll.
"We put parents directly in control of their child's data, beginning with parental consent and by giving them the option to review and delete any or all of their child's interactions with Hello Barbie," Reddy said in an email, where he also added that the company has started a bug bounty program for Hello Barbie so friendly hackers can report more bugs.
Yet Blaich warned parents should be careful, especially in the wake of the VTech breach.
"As more and more stuff is connected to the network and we're sending more stuff to servers that we don't know where they may be located and what sort of security is on them, the best advice for parents is to be careful and be aware of what information they're sending through internet connected devices," Blaich told me. "Once the information is out of your control you don't know what's going to happen with it next next."
This article was amended. The independent researcher who worked with BlueBox is Andrew Hay, not Andrew Hall.