The Hello Barbie doll, which is connected to the Internet, has a number of security flaws, experts have warned.
Data released Friday by security firm Bluebox says there are vulnerabilities in the $75 doll. The firm says the doll records speech when someone talks to it, then it sends the recording to the cloud where it is analyzed. A response is determined and sent back to the doll.
— FOX 32 News (@fox32news) December 4, 2015
However, the process is vulnerable at several points, the analysis concludes. The app could connect to any WiFi network with the word “Barbie” in the name regardless of whether the connection is secure or not, which puts the transmitted data at risk.
According to BlueBox:
We discovered several issues with the Hello Barbie app including:
– It utilizes an authentication credential that can be re-used by attackers
– It connects a mobile device to any unsecured Wi-Fi network if it has “Barbie” in the name
– It shipped with unused code that serves no function but increases the overall attack surface
On the server side, we also discovered:
– Client certificate authentication credentials can be used outside of the app by attackers to probe any of the Hello Barbie cloud servers
– The ToyTalk server domain was on a cloud infrastructure susceptible to the POODLE attack
The POODLE bug, which was discovered 14 months ago, can break HTTPS encryption. As the firm noted, Hello Barbie’s makers didn’t patch the widespread bug.
The testers sent their findings to Mattel and ToyTalk.
— Mojtaba Arvin (@mojtaba_arvin) November 27, 2015
According to NBC News, which obtained a statement from both companies, the two are working on the problem.
“We have been working with Bluebox and appreciate their Responsible Disclosure of several issues with respect to Hello Barbie. We have already fixed many of the issues they raised, such as removing the weaker SSLv3 ciphers from our servers,” ToyTalk said in a statement.
Mattel said it’s “working closely” with BlueBox to “ensure the safety and security of Hello Barbie.”