Story image

Uh oh: Wi-Fi Barbie ideal attack target

08 Dec 2015

A Wi-Fi capable Barbie doll is sparking concerns about the security risks if she was hacked.

Security firm Bluebox Labs, along with independent security researcher Andrew Hay, examined the security of the mobile components of the Mattell Hello Barbie.

The Wi-Fi connected doll is able to hold real-time conversations by recording audio and uploading it to the cloud for instant processing of artificial intelligence-based responses.

“With the introduction of Hello Barbie, Mattel has brought one of the world’s most recognisable toys into the Internet of Things era,” Bluebox says on its website.

“For any connected device, strong security must take into account not just the device itself, but the full scope of apps and infrastructure associated with it,” the company explains.

 The joint research between Bluebox and Hay covered the mobile app, both iOS and Android versions, developed by Mattel partner ToyTalk as well as communications between the app and cloud-based servers.

According to Bluebox, several issues with the Hello Barbie app were discovered:

  • It utilises an authentication credential that can be re-used by attackers
  • It connects a mobile device to any unsecured Wi-Fi network if it has ‘Barbie’ in the name
  • It shipped with unused code that serves no function but increases the overall attack surface

On the server side, Bluebox also discovered:

  • Client certificate authentication credentials can be used outside of the app by attackers to probe any of the Hello Barbie cloud servers
  • The ToyTalk server domain was on a cloud infrastructure susceptible to the POODLE attack

Bluebox says it disclosed all critical security issues to ToyTalk prior to publication of the research.

“Due to their fast response time, a number of the issues have already been resolved,” the company says.

Bluebox says all of the issues discovered highlighted the need for more secure app development, as well as the need for integrating self-defending capabilities into not only stand-alone mobile apps, but also the apps that power IoT devices like Hello Barbie.

”Ultimately, this research demonstrates the security of the mobile apps associated with IoT devices must be a higher priority,” the company says.

How Virtustream enabled FMC to modernise its global IT operations
As a result of transforming its IT operations, migrating mission-critical applications to the cloud and implementing a new SAP S/4HANA environment, FMC expects to realise significant cost and time savings. 
Meet the future of women in IT
Emily Sopers has just won Kordia’s first ever Women in Technology Scholarship, which was established to address gender imbalance in the information and communications technology (ICT) sector.
Microsoft Teams’ eight new and upcoming features
After taking Best in Show at Enterprise Connect, Microsoft Teams will be seeing eight new capabilities over 2019.
OutSystems and Boncode team up for better code analysis
The Boncode and OutSystems alliance aims to help organisations to build fast and feel comfortable that the work they're delivering is at peak quality levels.
Vector penalised $3.5 million for excessive levels of power outages
''Given the impact electricity outages have on consumers and businesses it is crucial that lines companies have systems in place to identify and manage the risks present in their networks."
Digital spending to hit US$1.2 trillion by 2022
A recent study by Zinnov shows that IoT spend reached US$201 billion in 2018 while outsourcing service providers generated $40 billion in revenue.
How the right ECM system empowers key business areas
"The right enterprise content management system supports collaboration and co-authoring aspects of content management, including visibility for all parties associated with key assets.”
Microsoft offers Government free digital skills training
Upwards of 60 workshops will be offered, aimed at giving staff a vital grounding in cloud technologies, artificial intelligence and other skills.