2 min read
As reported in The Guardian, Hello Barbie had multiple security issues that would have allowed hackers to reroute the doll's communication to a different server, and override the doll's privacy settings. This initial breach would allow an attacker to access account information that would allow a hacker to know a home address, listen in to the doll's immediate surroundings, and even take over the responses that the doll said.
But the fun doesn't end there. Because the doll connects to the internet via a home wireless connection, hackers could use that information to take over the home internet connection, monitor traffic on the connection, and compromise devices and steal information within the home network. A compromised Hello Barbie doll would also be a great tool for people looking to see if and when a family is home. No need to place a microphone inside the house, because Jimmy is playing with it!
It's worth noting that these security issues were discovered by a researcher and disclosed to the manufacturer responsibly. As reported in the Guardian, ToyTalk, the company that partners with Mattel to make Hello Barbie, downplayed the multiple security holes.
An enthusiastic researcher has reported finding some device data and called that a hack. While the path that researcher used to find that data is not obvious and not user-friendly, it important to note that all that information was already directly available to Hello Barbie customers through the Hello Barbie Companion App. No user data, no Barbie content, and no major security nor privacy protections has been compromised to our knowledge.
If the manufacturer of a toy can't understand how an attack that compromises an entire home network isn't a "major security or privacy" issue, they need to get into another line of work. I don't think we're ready for smart toys until manufacturers can behave responsibly.