Hello Barbie, Can We Talk About Your Security Issues?
The Hello Barbie app, which is available for iOS and Android, uses an authentication credential that can be reused by hackers, Bluebox disclosed.
It also connects a mobile device to any unsecured WiFi network whose name includes the word “Barbie,” the firm said. Further, it is shipped with unused code that serves no useful function but does increase the overall attack surface.
On the server side, hackers could use client certification authentication credentials outside the app to probe the Hello Barbie cloud servers, Bluebox discovered. Also, the server domain for ToyTalk, which provides the app and the technology that powers Hello Barbie, was on a cloud infrastructure susceptible to the Poodle attack.
“The fact the doll was shipped with such obvious security issues is just another indication of both companies’ blatant disregard for children’s well-being,” said Josh Golin, executive director of CCFC: Campaign for a Commercial-Free Childhood, which is running the “Hell No Barbie” campaign against the talking doll.
Fixing the Problem
“ToyTalk has patched the Poodle vulnerability on their servers, along with a few other minor issues that had minimal impact,” said Andrew Blaich, lead security analyst at Bluebox.
However, the credentials issue “is still being worked on,” he told TechNewsWorld. “ToyTalk has indicated it is an issue and will be investigating solutions, but in the meantime they have other layers of authentication that can make an attack a little harder.”
ToyTalk assumed a sophisticated hacker would discover the P12 certificate in the Hello Barbie app, noted company CTO Martin Reddy.
“We added client certificate authentication, above and beyond what most Internet-connected devices do, as a way to deter a casual attacker,” he told TechNewsWorld.
This attack is only possible during the brief period needed for users to connect the doll to their WiFi networks, Reddy said, and it won’t get anywhere because “even after circumventing this feature, the attacker gains no access to WiFi passwords, no access to child audio data, and cannot change what the doll says.”
Hackers previously have been able to take over and change Hello Barbie’s prerecorded responses, noted security researcher Matthew Jakubowski, who said he had hacked the doll’s OS and gathered system information, WiFi network names, its internal MAC address, account IDs, and the MP3 files used for prerecorded responses.
That information could be used to access the home WiFi network of the doll’s owner and everything Hello Barbie records, he said.
Mattel and ToyTalk “have taken numerous steps to ensure Hello Barbie meets security and safety protocols,” Mattel said in a statement provided to TechNewsWorld by company spokesperson Marissa Beck.
“In all claims we know about, no children’s audio files were accessed; no passwords were compromised; no personal information was disclosed; and no dolls were made to say anything unintended.”
However, parents reportedly can choose to have audio files of conversations their kids have with Hello Barbie stored on ToyTalk’s website. The parents can access the files after logging in — but if hackers were to figure out their passwords, they could access the files as well.
Not So Smart Toys
There are presently no industry standards governing Internet-connected toys, or the IoT in general.
“Trusting the companies to protect kids will not work,” CCFC’s Golin said. “We absolutely need policy solutions to ensure these devices are secure and don’t serve up ads.”
Parents “have no way of knowing if the toy they’re purchasing was securely designed and developed,” Kymberlee Price, Bugcrowd’s senior director of research operations, told TechNewsWorld. “Underestimating the threat … has put hundreds of thousands of children and millions of parents at risk of identity theft, fraud or worse.”