Hacking Into the Internet of Things: Introducing Hello Barbie
In an attempt to save the Barbie name, Mattel has partnered with ToyTalk to release their first-generation version of the Hello Barbie doll. The doll was released in February for pre-order, and is predicted to be a top seller once it is officially released during the height of the holiday season. The retail price for the doll is $75, and it is the hopes of the toymakers that the release of Hello Barbie will have a positive impact on Mattel’s stock price, which has fallen almost 50% since 2014.
This version of the iconic Barbie doll sports an updated, friendlier look, as well as Wi-Fi and speech recognition capabilities. The doll is pre-programmed with 8000 pre-recorded responses, and holds the capability of learning and remembering conversations held with the child that is speaking to her. All interactions between the child and the doll are recorded, and can be posted by parents on social media. This is where the internet of things comes into play.
While this seems like it would be a young child’s dream, the technology associated with the doll will open up a whole new world of opportunity for hackers once it is released.
In a conversation with Bryan Schmidt, a member of LMG’s penetration testing team, we discussed on of the main problems associated with Hello Barbie’s Wi-Fi connectivity. Due to the fact that Hello Barbie must be connected to the Internet in order to be able to access the servers that house her pre-recorded responses, Wi-Fi credentials are stored in her internal hard drive. If someone were able to gain access to a Hello Barbie doll’s information as a result of connecting to public Wi-Fi (i.e. Starbucks), those credentials can be intercepted and the home network can be breached.
While the issue of gaining access into the network is the main security issue connected with Hello Barbie, there is also a possibility that important information that is disclosed in the background of a hello Barbie play session could be used by hackers to gain access to information regarding bank accounts, passwords, or even information about social security numbers. This opportunity is made available to hackers through the fact that every interaction between the child and the doll is recorded and stored for later reference.
Ken Munro is a well-known security researcher that hacked the first smart doll, My Friend Cayla, and has expressed his concerns about the security of Hello Barbie, specifically regarding the passwords used for the Hello Barbie app. In an interview, he stated “Unlike Cayla, Barbie collates audio in order to drive improved responses. The server side audio processing and response engine looks pretty awesome. Parents can also create online accounts to interface with the engine in order to customize Barbie’s responses too. That’s really neat, but opens up a whole new set of attack vectors that simply don’t apply to Cayla…Parents would never re-use a password for that interface from elsewhere would they?”
This technological innovation is one that is truly amazing, but offers its fair share of security-related risk. To combat that risk, people are lining up for a chance to hack Hello Barbie so that they can expose weaknesses before any families are affected. If you have any questions or comments about Hello Barbie, send an e-mail to [email protected].