Popular holiday gift Hello Barbie may come with threats resulting from serious security flaws, cybersecurity researchers say. The Wi-Fi enabled Barbie has an AI system that processes children's audio input to talk back. Privacy and data security advocates say that hackers could take advantage of the interactive toy's vulnerabilities to collect personal information, compromising user privacy.
The researchers say they've found flaws in the mobile app and the cloud storage that the toy uses that make it vulnerable to data breaches. A hacker can take advantage of its security vulnerabilities to eavesdrop on children's private play sessions by turning the doll into a surveillance device without the user's knowledge.
Bluebox Security and Andrew Hay, an independent security researcher, released a report revealing the toy's security flaws. Responding to the news, Michelle Chidoni, Mattel's spokesperson, reassured the public that the company is currently looking into a security solution with ToyTalk. According to the Washington Post, ToyTalk has fixed several of the security flaws mentioned in the report already. Andrew Blaich, the lead security analyst at Bluebox said:
"It's really important that if you want to use these connected toys, no matter if it's a doll or a tablet, you be really careful about what information is being sent to and from the servers, and how it's secured," Blaich said. "Once data is out of your control, that's it — there's no taking it back, essentially."
Despite audio encryption, security features can be overridden when a hacker manages to access the doll's system, the Guardian reports, so even if one had to push the doll's belly button to start recording a conversation, this can no longer be the case once the doll's system is compromised.
Hello Barbie is set up through a mobile app, and it requires parents' consent for its use. The Barbie records a child's voice through a built-in microphone. To activate the process, a child must click on a button in the doll's stomach. The audio file is then sent to a remote server for processing. The doll draws on thousands of pre-recorded messages to talk back to the child with a suitable response.
Thanks to its AI, the Siri-like Barbie gradually learns about the user's preferences adjusting its responses accordingly. Whitney Meers writes for the Huffington Post that it's understandable that parents and privacy advocates are concerned over the talk-back toy.
According to the same source, Mark Jakubowski was able to access Barbie's system and through it access to Wi-Fi networks and account IDs. Jakubowski said he could discover personal information as a well as listen to the audio files Hello Barbie recorded, he told NBC Chicago's Tammy Leitner.
According to Jakubowski:
"It's just a matter of time until we are able to replace her servers with ours, and have her say anything we want," The Huffington Post reports.
Concerns over children's privacy are already numerous, especially after a VTech data security breach in which the account profiles of more than 6 million users were compromised.
Hello Barbie is the first interactive doll by Mattel. According to Gizmodo, ToyTalk's Chief Technology Officer Matt Reddy reassured consumers that the two companies will continue to work together to fix the security issues.