A recent review of the Internet-connected Hello Barbie doll from toymaker Mattel uncovered several red flags. Not only did the toy use a weak authentication mechanism that made it possible for attackers to monitor communications the doll sent to servers, but those servers were also vulnerable to POODLE, an attack disclosed 14 months ago that breaks HTTPS encryption.
The vulnerabilities, laid out in a report published Friday by security firm Bluebox Labs, are the latest black eye for so-called “Internet of Things” devices. The term is applied to appliances and other everyday devices that are connected to the Internet, supposedly to give them a wider range of capabilities. The Hello Barbie doll is able to hold real-time conversations by uploading the words a child says to a server. Instant processing on the server then allows the doll to provide an appropriate response.
Bluebox researchers uncovered a variety of weaknesses in the iOS and Android app developed by Mattel partner ToyTalk. The apps are used to connect the doll to a nearby Wi-Fi networks. The researchers also reported vulnerabilities in the remote server used to communicate with the doll.
From Friday’s report:
We discovered several issues with the Hello Barbie app including:
- It utilizes an authentication credential that can be re-used by attackers
- It connects a mobile device to any unsecured Wi-Fi network if it has “Barbie” in the name
- It shipped with unused code that serves no function but increases the overall attack surface
On the server side, we also discovered:
- Client certificate authentication credentials can be used outside of the app by attackers to probe any of the Hello Barbie cloud servers
- The ToyTalk server domain was on a cloud infrastructure susceptible to the POODLE attack
Bluebox said that several of the vulnerabilities, including the POODLE weakness, were closed after they were privately reported. ToyTalk should be commended for moving quickly, but the bigger point is that a third party was able to find these problems at all rather than ToyTalk proactively finding them on its own.
Today, nowhere is the Internet of Things more of a potential landmine than with devices marketed to children. The Bluebox report comes on the heels of the server breach of VTech, the toy manufacturer whose weak server security and lax privacy practices leaked personal information for tens of millions of parents and children, including gigabytes worth of kids’ headshots. Earlier this year, some privacy advocates had misgivings about Hello Barbie sending children’s utterances to a server for processing. Until manufacturers bake robust security and privacy into their products from the beginning, buyers should remain highly skeptical.