"We are aware of the Bluebox Security Report and are working closely with ToyTalk to ensure the safety and security of Hello Barbie," said Mattel spokesperson Michelle Chidoni in an emailed statement.
Martin Reddy, co-founder and chief technology officer of ToyTalk — the company behind the voice features in Hello Barbie — told The Washington Post that the company has been working with Bluebox and has “already fixed many of the issues they raised.” The researchers say that they informed ToyTalk about the issues in mid-November and that the company was very responsive.
But the news comes on the heels of a major breach at VTech, a Hong Kong-based seller of toys for toddlers and young children, which exposed profiles on more than 6 million children around the world. And Hello Barbie's security issues are yet another sign that Internet-connected devices are making their way into children's hands with problems that leave privacy at risk.
“It's really important that if you want to use these connected toys, no matter if it's a doll or a tablet, you be really careful about what information is being sent to and from the servers, and how it's secured," said Andrew Blaich, lead security analyst at Bluebox. “Once data is out of your control, that's it — there's no taking it back, essentially.”
Consumer advocates raised alarm bells about Hello Barbie before the security flaws were uncovered. In fact, even before Hello Barbie was released, they circulated a petition that called the doll “creepy.”
But the researchers say that they discovered that the app contained a number of security problems, including that digital certificates, which are supposed to confirm the legitimacy of the connection between the doll and the app, used a “hardcoded” password. Every app used the same password as part of this verification process — so if an attacker figured out that password, he or she could create a fraudulent app that could potentially steal data, including audio recordings, that passed between the doll and ToyTalk's servers.
And during the setup process, the researchers say the app would connect the phone to any unsecured WiFi network with the word “Barbie” in its name. That would make it easy for an attacker to create a Barbie-labeled WiFi hub to steal data.
“It's important to note that this attack is only possible during the few minutes that a user takes to connect the doll to their WiFi network and, even after circumventing this feature, the attacker gains no access [to] WiFi passwords, no access to child audio data, and cannot change what the doll says,” ToyTalk's Reddy said.
The researchers also say that the secure connection between the doll and the server was vulnerable to a highly publicized attack disclosed last year. Known as POODLE, it allows an attacker to trick servers to use a weak form of encryption one could easily crack after intercepting the data, Hay said. The company has now fixed this problem, Reddy said.
Mattel and ToyTalk have both gone to great lengths to assure customers that they take privacy and seriously. ToyTalk has even started a “bug bounty” program that rewards independent researchers who come forward with problems they've found and work with the company to fix them.
However, even with that caveat, experts say the doll's security problems may open the companies up to action from the Federal Trade Commission, which cracks down on when companies violate their privacy promises, because consumers probably expect that reasonable measures include protecting against well-known security flaws such as POODLE. The agency also has special powers to go after companies that fail to adequately protect the personal information of children 12 and under — including voice recordings — under the Children's Online Privacy Protection Act.
The FTC declined to comment specifically on the Hello Barbie incident because it neither confirms nor denies potential investigations. But David Vladeck, a former director of the FTC's Bureau of Consumer Protection and a professor at the Georgetown University Law Center, said the issue is probably on the commission's radar.
“It has always taken its responsibility to protect children very seriously,” he said. “This is very much in the core of what the FTC is concerned about, and I assume they are taking a very hard look this.”
Correction: An earlier version of this story misspelled the last name of the Bluebox researcher, he is Andrew Blaich, not Bleich. We regret the error.