Mattel’s “Hello Barbie”, a Barbie doll that talks, contains a security flaw that could allow personal information to be stolen by malicious attackers.
The new “Hello Barbie”, is Wi-Fi enabled and contains speech recognition technology. The companion app requires parents to set up a ToyTalk account to activate the doll, which can remember up to 3 Wi-Fi locations.
According to Mattel, “Hello Barbie”, which retails for $75, “listens and remembers the user’s likes and dislikes, giving everyone their own unique experience.”
Unfortunately, security researcher Matthew Jakubowski told NBC News that the new Barbie stores personalized data in the cloud,and that he was able to pull information from it that he really should not be able to access.
Jakubowski says that he was able to access system information, including the names of Wi-Fi networks that the dolls had connected to, internal mac addresses that allowed him to link to individual dolls, account id’s, and even mp3 files.
“You can take that information and find out a person’s house or business,” Mr. Jakubowski told NBC. “It’s just a matter of time until we are able to replace their servers with ours and have her say anything we want.”
ToyTalk did not appear to think the hack was too much to worry about.
“In this case, the information that was discovered does not identify a child, nor does it compromise any audio of a child speaking,” a spokesperson told NBC. “We put parents in control of their child’s data, beginning with parental consent and by giving them the option to review and delete any or all of their child’s interactions with Hello Barbie.”
So, if any information is hacked, it’s the parents fault it wasn’t deleted? Interesting.
“An enthusiastic researcher has reported finding some device data and called that a hack. While the path that researcher used to find that data is not obvious and not user-friendly, it important to note that all that information was already directly available to Hello Barbie customers through the Hello Barbie Companion App. No user data, no Barbie content, and no major security nor privacy protections has been compromised to our knowledge,” they added.
News of the security flawed doll follows closely on the heels of the Vtech data breach that compromised the information of almost 5 million adults and 200 thousand children. What are toy companies doing to protect this sensitive data?
For information on how you can prevent your organization from being breached, visit www.miltonsecurity.com or call 714-515-4011.