Usually, when you hear about a retailer being hacked, it’s a bad thing, but in this case, it was done with good intentions.
As Forbes recently reported, professional hackers from the security firm Bluebox and OpenDNS set out to intentionally breach the Android and iPhone apps used to access Mattel’s Hello Barbie — a smart toy which actually talks back to its playmate.
Hello Barbie is arguably one of Mattel’s most anticipated holiday products, having garnered mixed attention in the months leading up to its release. In this iteration, Barbie is no longer just an iconic doll, but also a Wi-Fi hub that connects users to an online portal, which, in turn, records the child’s conversations and creates a series of responses in order to have semi-realistic chats.
The researchers uncovered a number of vulnerabilities, including the fact that the app would connect the user’s phone to any Wi-Fi network as long as it contained the word “Barbie” in the network name. It would be a simple step for any hacker to create a malicious Barbie Wi-Fi hub and start collecting data from the phone.
They also uncovered problems in the certificates used to verify the app with the doll and the ToyTalk servers. These security certificates are meant to ensure that all devices participating in the chain of communication are trusted. However, the hackers found that all Hello Barbies use the same “hardcoded” password to authenticate the app with the doll, increasing the risk if that password should be breached.
Hello Barbie and her Android and iPhone apps were also vulnerable to what are known as POODLE attacks, allowing traffic and potentially a child’s conversation to be intercepted between the phone and the ToyTalk servers.
Another independent researcher, Matt Jakubowski, who found several other vulnerabilities, told Forbes: “Certainly, a lot of these things sound concerning and, with a device like this leaving any number of small things vulnerable, can lead to a full compromise of your device if you’re not careful. It’s really hard to protect against every attack, but having even the smallest vulnerability can be a big enough hole to gain enough of a foothold on the system and gain further access."
ToyTalk, maker of the technology used in Hello Barbie, has responded to the findings, with Martin Reddy, CTO and cofounder of the company, saying it had “fixed many of the issues.” Reddy added that most of the potential hacks were “only possible during the few minutes that a user takes to connect the doll to their Wi-Fi network, and, even after circumventing this feature, the attacker gains no access [to] Wi-Fi passwords, no access to child audio data and cannot change what the doll says."