Hello Barbie, Can We Talk About Your Security Issues?

New safety points that surfaced final week in reference to Mattel’s Hello Barbie doll, which talks again to youngsters, have heightened fears that hackers may use the toy to steal details about its homeowners and their households.

The Hello Barbie app, which is obtainable for iOS and Android, makes use of an authentication credential that may be reused by hackers,
Bluebox disclosed.

It additionally connects a cell gadget to any unsecured WiFi community whose identify contains the phrase “Barbie,” the agency mentioned. Additional, it’s shipped with unused code that serves no helpful operate however does improve the general assault floor.

On the server aspect, hackers may use consumer certification authentication credentials outdoors the app to probe the Hello Barbie cloud servers, Bluebox found. Additionally, the server area for ToyTalk, which gives the app and the expertise that powers Hello Barbie, was on a cloud infrastructure vulnerable to the
Poodle attack.

“The very fact the doll was shipped with such apparent safety points is simply one other indication of each corporations’ blatant disregard for youngsters’s well-being,” mentioned Josh Golin, government director of
CCFC: Campaign for a Commercial-Free Childhood, which is working the
“Hell No Barbie” marketing campaign towards the speaking doll.

Fixing the Downside

“ToyTalk has patched the Poodle vulnerability on their servers, together with a couple of different minor points that had minimal impression,” mentioned Andrew Blaich, lead safety analyst at Bluebox.

Nonetheless, the credentials subject “continues to be being labored on,” he informed TechNewsWorld. “ToyTalk has indicated it is a matter and will probably be investigating options, however within the meantime they produce other layers of authentication that may make an assault a bit tougher.”

ToyTalk assumed a complicated hacker would uncover the
P12 certificate within the Hello Barbie app, famous firm CTO Martin Reddy.

“We added consumer certificates authentication, above and past what most Web-connected gadgets do, as a method to deter an off-the-cuff attacker,” he informed TechNewsWorld.

This assault is just potential throughout the temporary interval wanted for customers to attach the doll to their WiFi networks, Reddy mentioned, and it will not get wherever as a result of “even after circumventing this characteristic, the attacker good points no entry to WiFi passwords, no entry to baby audio knowledge, and can’t change what the doll says.”

Earlier Assaults

Hackers beforehand have been in a position to take over and alter Hello Barbie’s prerecorded responses,
noted security researcher Matthew Jakubowski, who mentioned he had hacked the doll’s OS and gathered system info, WiFi community names, its inside MAC tackle, account IDs, and the MP3 recordsdata used for prerecorded responses.

That info may very well be used to entry the house WiFi community of the doll’s proprietor and every thing Hello Barbie information, he mentioned.

Mattel and ToyTalk “have taken quite a few steps to make sure Hello Barbie meets safety and security protocols,” Mattel mentioned in an announcement offered to TechNewsWorld by firm spokesperson Marissa Beck.

“In all claims we find out about, no youngsters’s audio recordsdata have been accessed; no passwords have been compromised; no private info was disclosed; and no dolls have been made to say something unintended.”

Nonetheless, mother and father reportedly can select to have audio recordsdata of conversations their youngsters have with Hello Barbie
stored on ToyTalk’s website. The mother and father can entry the recordsdata after logging in — but when hackers have been to determine their passwords, they might entry the recordsdata as effectively.

Not So Sensible Toys

There are presently no trade requirements governing Web-connected toys, or the IoT typically.

“Trusting the businesses to guard youngsters won’t work,” CCFC’s Golin mentioned. “We completely want coverage options to make sure these gadgets are safe and do not serve up adverts.”

Mother and father “haven’t any manner of understanding if the toy they’re buying was securely designed and developed,” Kymberlee Worth,
Bugcrowd’s senior director of analysis operations, informed TechNewsWorld. “Underestimating the risk … has put a whole bunch of 1000’s of youngsters and thousands and thousands of fogeys vulnerable to identification theft, fraud or worse.”
Hello Barbie, Can We Talk About Your Security Issues?
Back to top button