The Hello Barbie doll, lights and shadows

Mattel’s Hello Barbie has finally arrived in stores, but security experts have raised questions about security and privacy issues related to the technological toy.

Are you thinking of buying a Barbie for your daughter this Christmas?

Mattel’s Hello Barbie has finally arrived in stores, but security experts have raised questions about security and privacy issues related to the technological toy. The Hello Barbie doll is developed by the startup ToyTalk.

In February, The Register was one of the fist news agency reporting security and privacy implications of the Mattel’s Hello Barbie, and now that the popular doll is available for sale a security researcher has discovered security issues with the toy.

“Its Wi-Fi-connected Barbie toy has a microphone, a speaker, a small embedded computer with a battery that lasts about an hour, and Wi-Fi hardware. When you press a button on her belt buckle, Barbie wakes up, asks a question, and turns on its microphone while the switch is held down.” wrote the register.

Last week, the security expert Matt Jakubowski explained that the new Wi-Fi-Enabled Hello Barbie can be hacked, in the specific case to extract Wi-Fi network names, account IDs, and MP3 files from the toy.

“You can take that information and find out a person’s house or business. It’s just a matter of time until we are able to replace their servers with ours and have her say anything we want,” Jakubowski warned.

Oren Jacob, the ToyTalk CEO provided the following statement in response to the Jakubowski affirmation trying to rebuke the alarm.

“An enthusiastic researcher has reported finding some device data and called that a hack.” Jacob said. “While the path that the researcher used to find that data is not obvious and not user-friendly, it is important to note that all that information was already directly available to Hello Barbie customers through the Hello Barbie Companion App. No user data, no Barbie content, and no major security or privacy protections have been compromised to our knowledge.”

Jakubowski explained that it is quite easy to steal the account ID, this means that the attackers need get the password to gain access to the Hello Barbie account. Steal a password could be very simple for example with a spear phishing attack or by using other social engineering techniques.

Unfortunately, the experts at ToyTalk have a different opinion and consider the scenario improbable.

The Campaign for a Commercial-Free Childhood already asked Mattel to drop the Hello Barbie doll, a petition has already been signed by over 6,000 worried people.

We are approaching the holiday season, and recent data breach suffered by the giant VTech raised the question of children’s privacy.

Even if the Hello Barbie doll is secure today, this doesn’t mean that it will be the same tomorrow. Security experts could make a reverse engineering of its software components in order to discover security flaws.

Somerset Recon already reported the news that researchers have dumped the 16 megabits of firmware that runs the doll to analyze it.

“We began dumping the contents of the 16Mbit flash chip, and some pretty neat stuff popped up. Stay tuned for Part Two, where we’ll dive into the architecture of the system and its security implications.” wrote the Somerset Recon.

Stay Tuned!

Pierluigi Paganini

(Security Affairs – Hello Barbie, privacy)