“Once again, Mattel’s ‘Hello Barbie’ doll is in the news”.
David Emm, Principal Security Researcher at Kaspersky Lab said :
“The doll is interactive. It is equipped with a computer chip, a microphone, a speaker and it is also Wi-Fi-enabled. When a child presses Barbie’s belt-buckle, the doll asks a question and records the child’s answer. It is then encrypted and sent over the Internet to be processed by the voice-recognition software of Mattel’s technology partner, ToyTalk. The software then sends a command to Barbie to playback a reply stored in the doll, appropriate to whatever the child chooses to talk about.
“Concerns about the doll centre mainly around privacy – the fact that secrets entrusted to the doll by a child are shared with Mattel and its partners. There’s also the potential risk that such data might fall into the hands of hackers, if the security of Mattel or its partners are breached. This issue was highlighted a few days ago when children’s toy-maker VTech revealed that a compromise of its systems led to the theft of names, physical addresses, e-mail addresses, security questions and answers, and more data pf millions of families worldwide [link].
“Recently, security researcher Matt Jakubowski was able to extract Wi-Fi network name, internal MAC address, account IDs and MP3 files from the Hello Barbie doll [link]. This is enough to gain access to the Hello Barbie account and a home network – thereby compromising the wider security of any family of a child using the doll.
“We live in a connected world, where even our children’s toys could become the means for personal data being captured by attackers. It’s really important that, when considering such toys this Christmas, parents look beyond the fun aspect of a toy and consider the impact it might have on their child and the wider family.”