Hello Barbie, Goodbye Privacy? Hacker Raises Security Concerns

An Internet-enabled doll is a hot holiday toy, but a researcher has found it could be making users vulnerable to a breach of privacy.

11/30/2015 04:45 pm ET

Barbie dolls are at the top of some children's wish lists this holiday season, but parents may want to ignore these requests and instead grant their families the gift of privacy.

Hello Barbie, which retails for about $75, uses a microphone, voice recognition software and artificial intelligence to enable a call-and-response function similar to Siri or Google Now. A free smartphone app that connects the toy to a user's Wi-Fi network brings this Barbie into a class of technology often referred to as the Internet of Things, or IoT.

Some security researchers say this technology makes the doll susceptible to being hacked and could compromise its owners' privacy. 

Mattel

Matt Jakubowski was able to get into the toy's system to access users' system information, Wi-Fi network names, internal MAC addresses, account IDs and MP3 files, he told NBC Chicago. He added that he would be able to use this data to find someone's house and personal information, and could access their home network and listen to everything Barbie records.

"It's just a matter of time until we are able to replace her servers with ours, and have her say anything we want," he said.

Privacy experts have been speaking out about the toy since March, voicing concerns about potential advertisers being able to collect information that could exploit children's preferences.

Mattel, which manufactures the Barbie brand, partnered with entertainment company ToyTalk to develop the doll's technology.  

Despite potential risks associated with the Barbie, Jakubowski has commended ToyTalk for its efforts to protect consumers' security so far, telling Global News via email:

“Overall I think ToyTalk has done a outstanding job on the security protocols they have in place. The doll when in wifi mode requires a client-side cert to be valid in order to access any of the data, it also limits the data that it can accept thus limiting the attack surface.”

 

“ToyTalk also appears to be using HTTPS for all communications to ensure no eavesdropping of any kind can happen. These are all good levels of security that you don’t typically see in many IoT devices. ToyTalk has certainly taken many of the concerns and has addressed them as best as they could.”

ToyTalk says it collects voice-recorded data but only to help improve the user's experience. The company also states it may share data with third parties, but limits this sharing of information to parties that help with speech recognition, improving products and other research and development. 

ToyTalk told The Huffington Post that the doll, like all devices that connect to the Internet, carries the possibility of being hacked.

"It's with these issues in mind that we purposely built in so many privacy and security measures into all ToyTalk products -- from our first kids' apps to Hello Barbie," the company's co-founder and chief technology officer, Martin Reddy, wrote in an email.

Reddy stressed that Jakubowski's activities did not technically constitute a hack, given that the researcher was only able to access the same information that the companion app already stores. Jakubowski wasn't able to access the user's Wi-Fi password or any digital files of the child talking.

ToyTalk also has measures in place should privacy breaches become apparent, including a "bug bounty" program incentivizing security researchers to disclose potential vulnerabilities, according a blog post published on the company's Tumblr.

Privacy advocates have called the doll "creepy" and claimed it eavesdrops on children, according to The Washington Post, and a petition asking Mattel to drop the Barbie had attracted more than 37,000 signatures as of Monday afternoon. 

David Monahan of The Campaign for a Commercial-Free Childhood said the toy is vulnerable to hacking and thinks parents should be skeptical of ToyTalk's "bug bounty" program. 

"It is disturbing to think that the companies did not work out these flaws before releasing the doll to the public," he said in an email to HuffPost. "Any parent allowing their child’s conversations with Hello Barbie to be recorded and shared with ToyTalk is apparently offering up sensitive information about their child to an experiment in the development of artificial-intelligence toys, with the likelihood that the information will end up in the hands of countless unknown parties."

CONVERSATIONS