Story image

Uh oh: Wi-Fi Barbie ideal attack target

08 Dec 15

A Wi-Fi capable Barbie doll is sparking concerns about the security risks if she was hacked.

Security firm Bluebox Labs, along with independent security researcher Andrew Hay, examined the security of the mobile components of the Mattell Hello Barbie.

The Wi-Fi connected doll is able to hold real-time conversations by recording audio and uploading it to the cloud for instant processing of artificial intelligence-based responses.

“With the introduction of Hello Barbie, Mattel has brought one of the world’s most recognisable toys into the Internet of Things era,” Bluebox says on its website.

“For any connected device, strong security must take into account not just the device itself, but the full scope of apps and infrastructure associated with it,” the company explains.

 The joint research between Bluebox and Hay covered the mobile app, both iOS and Android versions, developed by Mattel partner ToyTalk as well as communications between the app and cloud-based servers.

According to Bluebox, several issues with the Hello Barbie app were discovered:

  • It utilises an authentication credential that can be re-used by attackers
  • It connects a mobile device to any unsecured Wi-Fi network if it has ‘Barbie’ in the name
  • It shipped with unused code that serves no function but increases the overall attack surface

On the server side, Bluebox also discovered:

  • Client certificate authentication credentials can be used outside of the app by attackers to probe any of the Hello Barbie cloud servers
  • The ToyTalk server domain was on a cloud infrastructure susceptible to the POODLE attack

Bluebox says it disclosed all critical security issues to ToyTalk prior to publication of the research.

“Due to their fast response time, a number of the issues have already been resolved,” the company says.

Bluebox says all of the issues discovered highlighted the need for more secure app development, as well as the need for integrating self-defending capabilities into not only stand-alone mobile apps, but also the apps that power IoT devices like Hello Barbie.

”Ultimately, this research demonstrates the security of the mobile apps associated with IoT devices must be a higher priority,” the company says.

How Adobe aims to drive digital transformation for financial services
Digital transformation is a requirement for ongoing competitiveness that clearly helps businesses run more efficiently.
Using blockchain to ensure regulatory compliance
“Data privacy regulations such as the GDPR require you to put better safeguards in place to protect customer data, and to prove you’ve done it."
Human value must be put back in marketing - report
“Digital is now so widely adopted that its novelty has worn off. In their attempt to declutter, people are being more selective about which products and services they incorporate into their daily lives."
A10 aims to secure Kubernetes container environments
The solution aims to provide teams deploying microservices applications with an automated way to integrate enterprise-grade security with comprehensive application visibility and analytics.
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill. 
Microsoft NZ bids Goldie a “fond farewell”
Microsoft New Zealand director of commercial and partner business takes new role across the Tasman. The search for his replacement has begun.
Google says ‘circular economy’ needed for data centres
Google's Sustainability Officer believes major changes are critical in data centres to emulate the cyclical life of nature.
One Identity a Visionary in Magic Quad for PAM
One Identity was recognised in the Gartner Magic Quadrant for Privileged Access Management for completeness of vision and ability to execute.