According to researchers from security firm Bluebox Labs and independent researcher Andrew Hay, it is possible that hackers could intercept encrypted data that the toy, made by Mattel and ToyTalk, sent to its host servers over Internet via Wi-Fi, such as children’s recordings. It should be noted that there were no actual reports of this occurring – the research simply outlined this was a possibility.
“As more and more stuff is connected to the network and we’re sending more stuff to servers that we don’t know where they may be located and what sort of security is on them, the best advice for parents is to be careful and be aware of what information they’re sending through internet connected devices,” Andrew Blaich, a researcher at Bluebox Labs, told Motherboard. “Once the information is out of your control you don’t know what’s going to happen with it next.”
The researchers published a report last week detailing the security flaw in the toy. It alleges that ToyTalk used outdated encryption technology that was known to be vulnerable to a well-known attack, known as a POODLE attack. It involves downgrading the toy's software to make it accessible, allowing any voice recorded on it to be listened to.
ToyTalk say they have now patched the problem. In a statement to Gizmodo it said: “We have been working with Bluebox and appreciate their Responsible Disclosure of issues with respect to Hello Barbie. We are grateful that they informed us of relevant security vulnerabilities, which have been addressed.”
The report does serve to highlight, though, that as more and more products use Internet connectivity – yes, the dreaded overused term “Internet of things” – security needs to be taken seriously.