Your Child’s Toy Could Be Spying On Them

This post is also available in: עברית (Hebrew)

One of the most popular gifts this year is the Hello Barbie, an internet-connected doll that actively listens and responds to children, using fairly advanced artificial intelligence. Cybersecurity researchers from Bluebox Security and independent researcher Andrew Hay have uncovered several serious security flaws in the mobile app and cloud storage used by the dolls that may have allowed hackers to listen in to the most private of play sessions.

“We are aware of the Bluebox Security Report and are working closely with ToyTalk to ensure the safety and security of Hello Barbie,” said Michelle Chidoni, spokesperson for Barbie’s manufacturer Mattel.

ToyTalk, who are responsible for the voice features in the doll, are in touch with Bluebox and have “already fixed many of the issues they raised,” the company’s co-founder Martin Reddy told The Washington Post.

This isn’t the first such security breach discovered in children’s toys. Profiles on more than six million children around the world were exposed in a breach at VTech, a toy manufacturer from Hong Kong.

“It’s really important that if you want to use these connected toys, no matter if it’s a doll or a tablet, you be really careful about what information is being sent to and from the servers, and how it’s secured,” said Bluebox lead security analyst Andrew Blaich. “Once data is out of your control, that’s it — there’s no taking it back, essentially.”

The Hello Barbie works by recording children when a button on its stomach is pressed. An audio file is then sent to a server for processing, after which the doll “speaks” of one thousands prerecorded responses. Parents must consent to the doll’s terms of use and set it up through the mobile app.

While the doll is supposedly secure, the researchers discovered several glaring security problems, including “hardcoded” passwords in security certificates. This could allow an attacker to figure out the password, and connect to children’s dolls to listen in to their play time.

It is inevitable and welcome that technology will make its way into toys. Technology can make for a new and exciting world of interactive toys the likes we, as children, could only dream of. But companies must take security seriously. It is beyond unacceptable to expose children to these sort of security risks.