Pwned Barbies Spying On Children? Toytalk CEO Downplays Hacking Reports

McGruber writes: Earlier this year Mattel unveiled "Hello Barbie," a $74.99 wi-fi equipped interactive doll. Users press a button on Barbie's belt to start a conversation and the recorded audio is processed over the internet so that the doll can respond appropriately. The doll also remembers the user's likes and dislikes.

Now Security Researcher Matt Jakubowski claims that he has managed to hack the Hello Barbie system to extract wi-fi network names, account IDs and MP3 files, which could be used to track down someone's home. "You can take that information and find out a person's house or business. It's just a matter of time until we are able to replace their servers with ours and have her say anything we want," Jakubowski warned. Mattel partnered with ToyTalk to develop "Hello Barbie." ToyTalk CEO Oren Jacob said: "An enthusiastic researcher has reported finding some device data and called that a hack. While the path that the researcher used to find that data is not obvious and not user-friendly, it is important to note that all that information was already directly available to Hello Barbie customers through the Hello Barbie Companion App. No user data, no Barbie content, and no major security or privacy protections have been compromised to our knowledge." A petition by the Campaign for a Commercial-Free Childhood asking Mattel to drop the doll has already been signed by over 6,000 people.

NOTE: The original reporting of this hack appears to have been this NBC-Chicago newscast.

Just don't IoT

[tompaulco]

Just don't IoT. The anti-Nike slogan seems more appropriate in this case.

Re:Just don't IoT

[mlts]

Bingo.

1: Ransomware is on the rise, with new vectors.
2: There is zero incentive (financial or otherwise) for IoT vendors to do anything but lip service to security. As a PHB told me a few years ago, "show me where purchasing a padlock, a card access reader, or a secure appliance has ever shown a financial gain for any company other than to Assa-Abloy or a lock maker." Of course, this is fallacious reasoning, but it is pretty common.
3: Testing is abbreviated at best. The goal is to get the IoT devices to market fast... worry about glitches, bugs, and security items later, or maybe fix them in the 2.0 version.
4: There are no IoT security standards, or architectures [1].
5: There is no assurance about security, other than maybe a pretty lock icon, or "protected by 256 bit AES"... generic drivel. When I buy a padlock, I can buy one with "Sold Secure", "Insurance lock rated", or other ratings that the lock passed some heavy testing. When I have an electrical appliance, it is UL listed. There is no body that can show security compliance for an IoT device. So, I have nothing but the word of an advertiser.

All and all, IoT devices are a win/win for tracking companies and blackhats... but for the people shelling out cash for the devices? Not much. I don't have any BlueTooth light bulbs, nor deadbolts accessible from the Internet. And I plan to keep it that way. In fact, if I were to pay for an expensive fridge, it would be a fridge that used propane or natural gas, so a power outage would only turn off the light inside, not affect cooling.

[1]: An example of a reasonably secure architecture would be devices that communicated via BlueTooth or Wi-Fi to a hardened hub appliance, which then communicated to the Internet. This way, there would be no direct access from the outside to IoT devices, and the hub appliance could be configured with IDS/IPS rules to block out a compromised appliance.

Re:Just don't IoT

[Opportunist]

As long as there is zero accountability, there is zero reason to do anything about it.

Whether a company does anything that cuts into their bottom line is similar to whether they break a law: What does it cost to do it vs. how likely is it to happen and what does it cost if if happens. If either of the latter two (usually the last one) is zero, it will not happen.

Re:Just don't IoT

[TWX]

As long as there is zero accountability, there is zero reason to do anything about it.

This honestly should be consumer products safety issue, especially for things like the electronics in cars. Like how Microsoft should never have created a web browser so tied-in that it could serve as a vector into the heart of the operating system kernel itself, automakers should never have tied the infotainment systems into the body control and power control modules where anything on those computers could do anything to the operation of the vehicle.

Re:Just don't IoT

[Opportunist]

And as soon as you find a judge who actually understands enough of the matter to make such a decision we might see improvement.

"finding some device data and called that a hack."

[Nutria]

Well... the CEO is either right, or he's baited every hacker this side of Timbuktu into hacking those Barbie servers.

Good thing my daughter has outgrown Barbie!!!

This is so cool!

[fustakrakich]

I can hardly wait for WIFI Chucky!

Social Services monitoring?

What happens if kids start saying things like "my parents beat me" to these dolls?

Do child protection services come knocking, or does the company turn a blind eye?

Both options have important implications.

Re: "finding some device data and called that a ha

[Opportunist]

Thank god, mine's more into MLP.

That's not a line you can use often, so I could not resist.

Great!

[martin-boundary]

Can anyone say "pedophile-in-the-middle attack"?

Looks like it's time to short Mattel stock.

Re: "finding some device data and called that a ha

[Mal-2]

Are you sure it's so much better to be pwnied?

But, pedophiles...

[GuB-42]

We just need a story about how pedophiles can hack the network and use it to abuse little girls and soon enough people will be up in arms.
It doesn't even have to be true.

STEM problem solved

[Spugglefink]

Hack the dolls to say, "Why are you playing with a doll instead of learning calculus?" Then have the dolls teach little girls calculus. Instantly the STEM fields will be bristling with billions of eager girls who love to dress calculus in pretty pink clothes, and take it to the mall.

Calculus will become a bigger hit than Miley Cyrus having a wardrobe malfunction.

Exact words...

[Chris+Mattern]

"No user data, no Barbie content, and no major security or privacy protections have been compromised to our knowledge."

And we're going to do our damnedest to make sure we never find out, either.

R00tz Asylum @ defcon FTW

[Minupla]

This is why I'm glad I've been taking my 7 yr old daughter to defcon's kids track since she was 4. She's been taught the importance of online privacy by the type of folks who could perform this hack. She'd yell at me for buying her this type of gift.

Seriously, EFF co-sponsors the track each year and it's a good annual inoculation against the dumb messages society tries to pump into her head. She's way more sensible about such things then most adults, nevermind 7 yr olds, and we have a shared vocabulary for having discussions around privacy and maintaining control of her own personal information.

Min

Re:Obligatory joke

[Solandri]

In 1945, the Soviets spied on the U.S. by giving The Thing to the U.S. Ambassador.
In 2015, the U.S. will spy on the Russians by giving a Barbie doll to the Russian ambassador's daughter.