More like this

Security

Hello Barbie controversy re-ignited with insecurity claims

Doll leaks data, even before the tear-downs are finished

Hello Barbie teardown by Somerset Recon
Somerset Recon's Hello Barbie teardown

Back in February, The Register queried the security and privacy implications of Mattel's “Hello Barbie”, and now the doll has hit the shelves, a prominent security researcher has turned up the first security problems with the toy.

After an initial flurry of concern, the issue went quiet, but last Friday Matt Jakubowski (formerly of Trustwave's SpiderLabs) reignited it by extracting Wi-Fi network names, account IDs, and MP3 files from the toy.

That brought a defensive response from Oren Jacob, CEO of ToyTalk (which provides the cloud processing chunk of Hello Barbie). He called Jakubowski an “enthusiastic researcher”, said the data is “already available” to customers, and “no major security or privacy protections have been compromised”.

While it's probably easier to get an SSID by standing outside a house and letting it pop up on your phone's Wi-Fi connection list, an account ID is another matter, since all an attacker needs is to get a password and they have access to the Hello Barbie account.

From ToyTalk's point of view – and Vulture South's – that still looks like an unlikely scenario: is it worth staging a user-by-user attack against a child's doll?

However, in the wake of the weekend's breach of toymaker VTech, the question of children's privacy is now on a few million minds.

Troy Hunt (of HaveIbeenpwned fame) writes about the VTech breach here, and some of his concerns regarding VTech are relevant to Hello Barbie: is it a good idea to extend children's digital footprints to links between physical and digital assets, when they're too young to understand notions of consent?

The other obvious question is how long Hello Barbie's remaining security can last. Over at Somerset Recon, the first of two promised teardown articles has appeared, and it's clear that her innards are as simple as you would expect given the limited space available.

The salient point is Somerset Recon's teaser for its as-yet-unpublished follow-up: those researchers claim to have dumped the 16 megabits of firmware that runs the doll. It would be astonishing if that small an image proved resistant to reverse engineering. ®

Sponsored: 2016 Cyberthreat defense report