Beware Hacker Bait Barbie

Written by Lorna Garey
December 4, 2015

Bluebox Labs finds that IoT security is not child’s play.

Step away from the Internet-connected toys, please.

Today Bluebox Labs, with independent researcher Andrew Hay, released a report showing major security issues in the iOS and Android versions of the Hello Barbie mobile app developed by Mattel partner ToyTalk, as well as in the wireless communications between the doll and the cloud-based servers that process audio uploads. These findings are on top of security issues in the doll itself that could let an attacker zero in on a child’s home address, according to NBC news.

And of course, VTech Holdings recently lost records of 6.4 million children and 4.9 million adults.

Internet of Things security problems aren’t just theoretical, and it’s not difficult to imagine serious consequences of the Barbie app being modified to reveal confidential information, including passwords — a real possibility, says Bluebox.

The Wi-Fi-connected Barbie works by recording a child’s comments or questions, uploading the audio to the cloud, then returning artificial-intelligence-based responses to approximate a real-time conversation. It’s slick use of IoT tech, but unfortunately, the implementation is riddled with holes. Besides the possibility of revealing Wi-Fi passwords, the app will connect the doll to any unsecured Wi-Fi network that has “Barbie” in the name, allowing for an attacker to impersonate the Barbie AI network. Moreover, client certificate authentication credentials could be used outside of the app to probe Hello Barbie cloud servers to look for more vulnerabilities. And, the researchers say, the ToyTalk server domain was on a cloud infrastructure susceptible to the POODLE attack, meaning attackers could downgrade SSL connection security and listen in on the child’s uploaded audio conversation from the doll.

Fortunately, Bluebox Labs disclosed all critical security issues to ToyTalk, which has already resolved many problems. However, overall, the message is clear that mobile apps associated with IoT devices are a potential source of problems, and toymakers seem unwilling to expend the time and money required for secure application development or to integrate self-defending capabilities into mobile and IoT apps. Earlier this year, Bluebox released research showing security problems in nine of the most popular children’s tablets as well. If you send a newsletter to customers, warnings on IoT-related toy vulnerabilities are timely and worth including.

Got an innovative security or IoT project in the works? Entries are open now for our fourth annual Channel Partners’ 360° awards program. Follow editor in chief @LornaGarey on Twitter.