Friday, December 04, 2015 by Greg White
For most young girls, Christmas won’t be complete without receiving their favorite Barbie dolls as a gift. Yet, security officials warn that this year’s newest Barbie incarnation, Hello Barbie, isn’t just a fun doll for girls — it can also be a means for hackers to spy on children.
Hello Barbie is touted as the world’s first interactive doll, capable of listening to children and responding to their questions, like Apple’s Siri and Google’s Now. It records a conversation with a microphone, connects to the Internet, sends the information to a third party and responds with a natural language.
Critics have expressed concerns that Hello Barbie fosters anti-social behavior and that children may not realize the doll is in fact a doll, rather than a living person. Adding to these concerns, security researchers have warned that when connected to Wi-Fi, Hello Barbie is susceptible to hacking.
When breached, computer hackers have access to the doll’s system information, account information, stored audio files and microphone. Criminals could easily use the microphone as a surveillance device to eavesdrop on family conversations. The revelation follows just weeks after reports surfaced of hackers obtaining photos of children and chat logs from toy maker Vtech, which specializes in making electronic learning devices.
Hello Barbie currently wears a price tag of $75. Since the doll can recall conversations, learn about a child and respond to questions, it almost seems alive. These conversations are stored on the Cloud, which parents can access with an app linked to the doll.
But, unfortunately, it’s not just parents who have access to this information. US security researcher Matt Jakubowski was able to hack the doll’s operating system to obtain network names and IDs. Once inside the network, it was easy for Jakubowski to access account information, stored audio files and listen to conversations over the microphone.
“You can take that information and find out a person’s house or business. It’s just a matter of time until we are able to replace their servers with ours and have her say anything we want,” Jakubowski told NBC.
The doll can only listen to conversations whenever a button is pressed and the recorded audio is encrypted prior to being sent to the Internet. Once a hacker is able to seize control of the doll, it would be easy for the third party to override its security features.
What is most troubling is how easy it is for hackers to manipulate Hello Barbie’s security features. The information stored inside the doll could give hackers access to a home’s Wi-Fi and Internet-connected devices. By doing this, they could steal personal information and create havoc for uninformed parents.
“An enthusiastic researcher has reported finding some device data and called that a hack,” Toytalk’s boss Oren Jacob told The Guardian. “While the path that researcher used to find that data is not obvious and not user-friendly, it is important to note that all that information was already directly available to Hello Barbie customers through the Hello Barbie Companion App.”
“No user data, no Barbie content, and no major security nor privacy protections has been compromised to our knowledge,” he added.
The toy has been subject to criticism by privacy campaigners ever since it debuted in March. Critics argued dolls that record and analyze private conversations should not be made available on the market. A Hello Barbie placed in the hands of thousands of children would be a linchpin for hackers.
ToyTalk’s Chief Technical Officer Martin Reddy responded to critics by assuring, “We are extremely concerned with the privacy, security and safety of the kids’ data.”
“We don’t share any of those (audio) clips with Mattel and we certainly don’t use any of that content to advertise or market to kids. In fact, we would be breaking the law if we did that, so we won’t do that.”
Mattel and ToyTalk both went on to note that parents are required to agree to a privacy statement when connecting Hello Barbie to the Internet and before the child can interact with the toy.
“Mattel and its partners, such as ToyTalk, take a number of steps to ensure all of our products conform with applicable laws and standards, including the Children’s Online Privacy Protection Act,” Mattel said in a statement.
Despite these reassurances, Pam Dixon, the executive director of the World Privacy Forum, says there are still privacy concerns that must be addressed.
“I worry about children who are saying things about their parents that they would never tell anyone else,” she explained.
“It’s just a toy, but this toy is really a sophisticated recording device and if it’s recorded, they’ll go after it. That’s how it works.”
“I promise you, Hello Barbie would be a huge source of really private personal data about a child that could be used in litigation,” she added.