Hello Barbie Doll (Photo : YouTube)
A report released on Friday by security experts warned that the internet-connected Hello Barbie doll has a lot of security flaws in its system, making the toy and its owners vulnerable to hacking.
Bluebox Security and Andrew Hay, an independent security researcher, says that the doll, which uses artificial intelligence to respond, has vulnerable mobile app and cloud storage that could allow hackers to eavesdrop, reports The Washington Post.
But Mattel spokesperson Michelle Chidoni said the toy manufacturing giant is aware of the report and is working closely with ToyTalk to ensure that Hello Barbie is safe and secure. ToyTalk is the company behind the doll's voice features.
ToyTalk co-founder and Chief Technology Officer Martin Reddy said they are coordinating with Bluebox and had fixed many of the issues the report brought up. Bluebox informed ToyTalk of its findings in mid-November.
These problems include the use of a "hardcoded" password by the digital certificate, meaning the app has the same password for all users. If the hackers figure out the password, he could create a fake app that has the potential to steal information, including audio recordings between the doll and servers of ToyTalk.
Another problem is the app connects the phone to any unsecured WiFi network using the word "Barbie." The setup makes it easier for a hacker to create a Barbie-labeled WiFi hub to filch data.
The servers that connect Hello Barbie are also vulnerable to Poodle, an encryption-busting bug which Google researchers have warned in 2014, notes Fortune.
Bluebox lead security analyst Andrew Bleich points out that if people want to use connected toys, whether it is a doll or a tablet that they have to be careful about the information sent to and from the servers if it is secured. He stresses, "Once data is out of your control, that's it - there's no taking it back, essentially."
The doll, which consumer groups warned about even before the Bluebox report, has a button on its tummy that records whatever the child says whenever that button is pressed. The audio file is sent to the internet to the serve for processing, and then the doll answers using one of the thousands of pre-recorded messages. However, unlike ordinary dolls, Hello Barbie requires the parent's consent to its terms of use. They must also set it up using a mobile app.
The Bluebox and consumer advocate warnings are timely since VTech, a toymaker in Hong Kong, suffered from data hacking that exposed some information of about 5 million customers.
