Slashdot Mirror
Pwned Barbies Spying On Children? Toytalk CEO Downplays Hacking Reports (bt.com)
McGruber writes: Earlier this year Mattel unveiled "Hello Barbie," a $74.99 wi-fi equipped interactive doll. Users press a button on Barbie's belt to start a conversation and the recorded audio is processed over the internet so that the doll can respond appropriately. The doll also remembers the user's likes and dislikes.
Now Security Researcher Matt Jakubowski claims that he has managed to hack the Hello Barbie system to extract wi-fi network names, account IDs and MP3 files, which could be used to track down someone's home. "You can take that information and find out a person's house or business. It's just a matter of time until we are able to replace their servers with ours and have her say anything we want," Jakubowski warned. Mattel partnered with ToyTalk to develop "Hello Barbie." ToyTalk CEO Oren Jacob said: "An enthusiastic researcher has reported finding some device data and called that a hack. While the path that the researcher used to find that data is not obvious and not user-friendly, it is important to note that all that information was already directly available to Hello Barbie customers through the Hello Barbie Companion App. No user data, no Barbie content, and no major security or privacy protections have been compromised to our knowledge." A petition by the Campaign for a Commercial-Free Childhood asking Mattel to drop the doll has already been signed by over 6,000 people.
NOTE: The original reporting of this hack appears to have been this NBC-Chicago newscast.
Now Security Researcher Matt Jakubowski claims that he has managed to hack the Hello Barbie system to extract wi-fi network names, account IDs and MP3 files, which could be used to track down someone's home. "You can take that information and find out a person's house or business. It's just a matter of time until we are able to replace their servers with ours and have her say anything we want," Jakubowski warned. Mattel partnered with ToyTalk to develop "Hello Barbie." ToyTalk CEO Oren Jacob said: "An enthusiastic researcher has reported finding some device data and called that a hack. While the path that the researcher used to find that data is not obvious and not user-friendly, it is important to note that all that information was already directly available to Hello Barbie customers through the Hello Barbie Companion App. No user data, no Barbie content, and no major security or privacy protections have been compromised to our knowledge." A petition by the Campaign for a Commercial-Free Childhood asking Mattel to drop the doll has already been signed by over 6,000 people.
NOTE: The original reporting of this hack appears to have been this NBC-Chicago newscast.
What happens if kids start saying things like "my parents beat me" to these dolls?
Do child protection services come knocking, or does the company turn a blind eye?
Both options have important implications.
This is why I'm glad I've been taking my 7 yr old daughter to defcon's kids track since she was 4. She's been taught the importance of online privacy by the type of folks who could perform this hack. She'd yell at me for buying her this type of gift.
Seriously, EFF co-sponsors the track each year and it's a good annual inoculation against the dumb messages society tries to pump into her head. She's way more sensible about such things then most adults, nevermind 7 yr olds, and we have a shared vocabulary for having discussions around privacy and maintaining control of her own personal information.
Min
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before